#SwitchToAzul

Have your Oracle Java costs gone through the roof?
Join the hundreds of 😊 customers who have made the Switch to Azul.

224% ROI and payback in under 3 months for Azul Zing.
Read Forrester’s Total Economic Impact™ Study.

Timely Java security updates are necessary to protect your infrastructure

Managing Java security is a critical challenge for every operations team. Every few quarters the Java community is made aware of one or more high-CVE errors and these errors need to be addressed quickly.

The Java community updates the platform quarterly, through a combination of security only Critical Patch Updates (CPUs), and Patch Set Updates, which contain a combination of security updates plus new and back-ported features and bugfixes.

 

Discover Zulu Enterprise

Cloud Server

Zulu Common Vulnerabilities and Exposures Fixes

Filter:

July 2020 – CVSS VERSION 3.0 RISK

CVE Component Protocol Remote Exploit without Auth. Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confidentiality Integrity Availbility Supported Zulu Versions Affected Modules Changed to Address CVE Notes
CVE-2020-14664 JavaFX Multiple Yes 8.3 Network High None Required Changed High High High 14,13,11,8

14,13,11:
javafx.graphics

8:
RT

Note 1
CVE-2020-14583 Libraries Multiple Yes 8.3 Network High None Required Changed High High High 14,13,11,8,7,6

14,13,11:
java.base

8,7,6:
JDK

Note 1
CVE-2020-14593 2D Multiple Yes 7.4 Network Low None Required Changed None High None 14,13,11,8,7,6

14,13,11:
java.desktop

8,7,6:
JDK

Note 1
CVE-2020-14621 JAXP Multiple Yes 5.3 Network Low None None Unchanged None Low None 14,13,11,8,7,6

14,13,11:
java.xml

8,7,6:
JAXP

Note 2
CVE-2020-14562 ImageIO Multiple Yes 5.3 Network Low None None Unchanged None None Low 14,13,11 14,13,11:
java.desktop
Note 1
CVE-2020-14556 Libraries Multiple Yes 4.8 Network High None None Unchanged Low Low None 14,13,11,8

14,13,11:
java.base

8:
JDK

Note 3
CVE-2020-14581 2D Multiple Yes 3.7 Network High None None Unchanged Low None None 14,13,11 14,13,11:
java.desktop
Note 3
CVE-2020-14579 Libraries Multiple Yes 3.7 Network High None None Unchanged None None Low 8,7,6 8,7,6:
JDK
Note 3
CVE-2020-14578 Libraries Multiple Yes 3.7 Network High None None Unchanged None None Low 8,7,6 8,7,6:
JDK
Note 3
CVE-2020-14577 JSSE TLS Yes 3.7 Network High None None Unchanged Low None None 14,13,11,8,7,6

14,13:
java.base

11:
java.base
OpenJSSE

8:
JDK
OpenJSSE

7,6:
JDK

Note 3
CVE-2020-14573 Hotspot Multiple Yes 3.7 Network High None None Unchanged None Low None N/A N/A Note 3
 
ID Notes
1 This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2 This vulnerability can only be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.
3 This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through untrusted code executed under Java sandbox restrictions. It can also be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.

April 2020 – CVSS VERSION 3.0 RISK

CVE Component Protocol Remote Exploit without Auth. Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confidentiality Integrity Availbility Supported Zulu Versions Affected Notes
CVE-2020-2830 Concurrency Multiple Yes 5.3 Network Low None None Unchanged None None Low 14,13,11,8,7,6 Note 3
CVE-2020-2816 JSSE HTTPS Yes 7.5 Network Low None None Unchanged None High None 14,13,11,8* Note 2
CVE-2020-2805 Libraries Multiple Yes 8.3 Network High None Required Changed High High High 14,13,11,8,7 Note 1
CVE-2020-2803 Libraries Multiple Yes 8.3 Network High None Required Changed High High High 14,13,11,8,7 Note 1
CVE-2020-2800 Lightweight HTTP Server Multiple Yes 4.8 Network High None None Unchanged Low Low None 14,13,11,8,7,6 Note 2
CVE-2019-18197 JavaFX(libxslt) Multiple Yes 8.1 Network High None None Unchanged High High High 13,11,8 Note 1
CVE-2020-2781 JSSE HTTPS Yes 5.3 Network Low None None Unchanged None None Low 14,13,11,8,7,6 Note 3
CVE-2020-2767 JSSE HTTPS Yes 4.8 Network High None None Unchanged Low Low None 14,13,11,8* Note 3
CVE-2020-2778 JSSE HTTPS Yes 3.7 Network High None None Unchanged Low None None 14,13,11,8* Note 3
CVE-2020-2773 Security Multiple Yes 3.7 Network High None None Unchanged None None Low 14,13,11,8,7,6 Note 3
CVE-2020-2757 Serialization Multiple Yes 3.7 Network High None None Unchanged None None Low 14,13,11,8,7,6 Note 3
CVE-2020-2756 Serialization Multiple Yes 3.7 Network High None None Unchanged None None Low 14,13,11,8,7,6 Note 3
CVE-2020-2755 Scripting Multiple Yes 3.7 Network High None None Unchanged None None Low 14,13,11,8 Note 3
CVE-2020-2754 Scripting Multiple Yes 3.7 Network High None None Unchanged None None Low 14,13,11,8 Note 3
CVE-2020-2764 Advanced Management Console Multiple Yes 3.7 Network High None None Unchanged Low None None None Note 2
 

* Applicable only if the UseOpenJSSE option is enabled.

ID Notes
1 This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2 This vulnerability can only be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.
3 This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through untrusted code executed under Java sandbox restrictions. It can also be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.

January 2020 – CVSS VERSION 3.0 RISK

CVE Component Protocol Remote Exploit without Auth. Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confidentiality Integrity Availbility Supported Zulu Versions Affected Notes
CVE-2020-2604 Serialization Multiple Yes 8.1 Network H N N U H H H 13, 11, 8, 7 Note 1
CVE-2019-16168 JavaFX (SQLite) Multiple Yes 7.5 Network L N N U N N H 13, 11, 8 Note 2
CVE-2019-13117 JavaFX (libxslt) Multiple Yes 7.5 Network L N N U H N N 13, 11, 8 Note 2
CVE-2019-13118 JavaFX (libxslt) Multiple Yes 7.5 Network L N N U H N N 13, 11, 8 Note 2
CVE-2020-2601 Security Kerberos Yes 6.8 Network H N N C H N N 13, 11, 8, 7 Note 1
CVE-2020-2585 JavaFX Multiple Yes 5.9 Network H N N U N H N 13, 11, 8 Note 1
CVE-2020-2655 JSSE HTTPS Yes 4.8 Network H N N U L L N 13, 11, 8* Note 1
CVE-2020-2593 Networking Multiple Yes 4.8 Network H N N U L L N 13, 11, 8, 7 Note 1
CVE-2020-2654 Libraries Multiple Yes 3.7 Network H N N U N N L 13, 11, 8, 7 Note 3
CVE-2020-2590 Security Kerberos Yes 3.7 Network H N N U N L N 13, 11, 8, 7 Note 1
CVE-2020-2659 Networking Multiple Yes 3.7 Network H N N U N N L 8, 7 Note 1
CVE-2020-2583 Serialization Multiple Yes 3.7 Network H N N U N N L 13, 11, 8, 7 Note 1
 

* Applicable only if the UseOpenJSSE option is enabled.

ID Notes
1 This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2 This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
3 This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java deployments, such as through a web service.

July 2019 – CVSS VERSION 3.0 RISK

CVE Component Sub Component Protocol Remote Exploit without Auth. Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confiden-
tiality
Integrity Availa-
bility
Supported Zulu Versions Affected Notes
CVE-2019-7317 Java SE AWT (libpng) Multiple Yes 6.8 N H N R U N H H 12, 11, 8, 7 Note 1
CVE-2019-2821 Java SE JSSE TLS Yes 5.3 N H N R U H N N 12, 11 Note 1
CVE-2019-2769 Java SE Utilities Multiple Yes 5.3 N L N N U N N L 12, 11, 8, 7 Note 2
CVE-2019-2762 Java SE Utilities Multiple Yes 5.3 N L N N U N N L 12, 11, 8, 7 Note 2
CVE-2019-2745 Java SE Security None No 5.1 L H N N U H N N 11, 8, 7 Note 2
CVE-2019-2816 Java SE Networking Multiple Yes 4.8 N H N N U L L N 12, 11, 8, 7 Note 2
CVE-2019-2842 Java SE JCE Multiple Yes 3.7 N H N N U N N L 8, 7 Note 2
CVE-2019-2786 Java SE Security Multiple Yes 3.4 N H N R C L N N 12, 11, 8, 7 Note 2
CVE-2019-2818 Java SE Security Multiple Yes 3.1 N H N R U L N N 12, 11 Note 1
CVE-2019-2766 Java SE Networking Multiple Yes 3.1 N H N R U L N N 12, 11, 8, 7 Note 2
 

* Applicable only if the UseOpenJSSE option is enabled.

ID Notes
1 This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2 This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3 This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java deployments, such as through a web service.

April 2019 – CVSS VERSION 3.0 RISK

CVE Component Sub Component Protocol Remote Exploit without Auth. Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confiden-
tiality
Integrity Availa-
bility
Supported Zulu Versions Affected Notes
CVE-2019-2699 Java SE Windows DLL Multiple Yes 9.0 N H N N C H H H 7 Note 1
CVE-2019-2698 Java SE 2D Multiple Yes 8.1 N H N N U H H H 8, 7 Note 2
CVE-2019-2697 Java SE 2D Multiple Yes 8.1 N H N N U H H H None Note 2
CVE-2019-2602 Java SE Libraries Multiple Yes 7.5 N L N N U N N H 12, 11, 8, 7 Note 3
CVE-2019-2684 Java SE RMI Multiple Yes 5.9 N H N N U N H N 12, 11, 8, 7 Note 1
 

* Applicable only if the UseOpenJSSE option is enabled.

ID Notes
1 This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2 This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3 This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java deployments, such as through a web service.

October 2019 – CVSS VERSION 3.0 RISK

CVE Component Sub Component Protocol Remote Exploit without Auth. Base Score Attack Vector Attack Complex Privs Req’d User Interact Scope Confiden-
tiality
Integrity Availa-
bility
Supported Zulu Versions Affected Notes
CVE-2019-2949 Kerberos javax.net.ssl Kerberos Yes 6.8 N H N N C H N N 13, 11, 8 Note 1
CVE-2019-2989 Networking java.net Multiple Yes 6.8 N H N N C N H N 13, 11, 8, 7 Note 1
CVE-2019-2958 Libraries java.lang Multiple Yes 5.9 N H N N U N H N 13, 11, 8, 7 Note 1
CVE-2019-2977 Hotspot compiler Multiple Yes 4.8 N H N N U L N L 13, 11 Note 2
CVE-2019-2975 Scripting javax.script Multiple Yes 4.8 N H N N U N L L 13, 11, 8 Note 1
CVE-2019-2999 Javadoc javadoc
(tool)
Multiple Yes 4.7 N H N R C L L N 13, 11, 8, 7 Note 2
CVE-2019-2987 2d 2d Multiple Yes 3.7 N H N N U N N L 13, 11, 8, 7 Note 1
CVE-2019-2981 JAXP jaxp Multiple Yes 3.7 N H N N U N N L 13, 11, 8, 7 Note 1
CVE-2019-2973 JAXP jaxp Multiple Yes 3.7 N H N N U N N L 13, 11, 8, 7 Note 1
CVE-2019-2983 Serialization 2d Multiple Yes 3.7 N H N N U N N L 13, 11, 8, 7 Note 1
CVE-2019-2988 2D 2d Multiple Yes 3.7 N H N N U N N L 13, 11, 8, 7 Note 2
CVE-2019-2978 Networking java.net Multiple Yes 3.7 N H N N U N N L 13, 11, 8, 7 Note 1
CVE-2019-2992 2D 2d Multiple Yes 3.7 N H N N U N N L 13, 11, 8, 7 Note 2
CVE-2019-2964 Concu-
rrency
java.util.regex Multiple Yes 3.7 N H N N U N N L 13, 11, 8, 7 Note 3
CVE-2019-2962 2D 2d Multiple Yes 3.7 N H N N U N N L 13, 11, 8, 7 Note 1
CVE-2019-2933 Libraries   Multiple Yes 3.1 N H N R U L N N 13, 11, 8, 7 Note 1
CVE-2019-2945 Networking   Multiple Yes 3.1 N H N R U N N L 13, 11, 8, 7 Note 2
CVE-2019-2894 Security javax.net.ssl Multiple Yes 3.7 N H N N U L N N 13, 11, 8, 7 Note 1
 

* Applicable only if the UseOpenJSSE option is enabled.

ID Notes
1 This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
2 This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
3 This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java deployments, such as through a web service.

 Did You Know?

Security-only patches are only available from Oracle and Azul? Did you also know that every free build of OpenJDK contains only PSUs?

CPU and PSU updates

CPU updates were designed for very rapid deployment, within days of release, while PSU updates add many new features and need to be tested thoroughly prior to deployment.

To learn more about the difference between CPU and PSU updates for OpenJDK, and the best ways to manage Java security at your site, start by discovering why security-only updates like those available via a Zulu Enterprise subscription are a more cost-effective choice for keeping your Java infrastructure secure.

 

Contact Us

© Azul 2020 All rights reserved.