Oracle Java SE 7u251/8u241/11.0.6/14 Security denial of service

Summaryinfo

A vulnerability has been found in Oracle Java SE 7u251/8u241/11.0.6/14 and classified as problematic. This vulnerability affects unknown code of the component Security. This manipulation causes denial of service. This vulnerability is handled as CVE-2020-2773. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability classified as problematic was found in Oracle Java SE 7u251/8u241/11.0.6/14 (Programming Language Software). Affected by this vulnerability is an unknown part of the component Security. The manipulation with an unknown input leads to a denial of service vulnerability. The CWE definition for the vulnerability is CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. As an impact it is known to affect availability. The summary by CVE is:

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u251, 8u241, 11.0.6 and 14; Java SE Embedded: 8u241. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

The weakness was released 04/15/2020 as Oracle Critical Patch Update Advisory - April 2020 as confirmed advisory (Website). The advisory is shared at oracle.com. This vulnerability is known as CVE-2020-2773. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1499 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 208569 (CentOS 7 : java-1.8.0-ibm (RHSA-2021:0717)), which helps to determine the existence of the flaw in a target environment.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (208569). Entries connected to this vulnerability are available at VDB-153686, VDB-153290, VDB-153291 and VDB-153293. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Programming Language Software

Vendor

• Oracle

Name

• Java SE

Version

• 7u251
• 8u241
• 11.0.6
• 14

License

• open-source

Website

• Vendor: https://www.oracle.com

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion