First published: Mon Jul 15 2019(Updated: )
It was discovered that the implementation of the Collections class in the Utilities component of OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized.
Credit: secalert_us@oracle.com secalert_us@oracle.com
Affected Software | Affected Version | How to fix |
---|---|---|
Oracle JDK | =1.7.0-update221 | |
Oracle JDK | =1.8.0-update211 | |
Oracle JDK | =1.8.0-update212 | |
Oracle JDK | =11.0.3 | |
Oracle JDK | =12.0.1 | |
Oracle JRE | =1.7.0-update221 | |
Oracle JRE | =1.8.0-update211 | |
Oracle JRE | =1.8.0-update212 | |
Oracle JRE | =11.0.3 | |
Oracle JRE | =12.0.1 | |
Debian Debian Linux | =8.0 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.04 | |
Redhat Satellite | =5.8 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Desktop | =6.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Eus | =8.6 | |
Redhat Enterprise Linux Server | =6.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Workstation | =6.0 | |
Redhat Enterprise Linux Workstation | =7.0 | |
Hp Xp7 Command View | <8.7.0-00 | |
McAfee ePolicy Orchestrator | =5.9.0 | |
McAfee ePolicy Orchestrator | =5.9.1 | |
McAfee ePolicy Orchestrator | =5.10.0 | |
McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
openSUSE Leap | =15.0 | |
openSUSE Leap | =15.1 | |
debian/openjdk-11 | 11.0.24+8-2~deb11u1 11.0.25+9-1~deb11u1 11.0.26~6ea-1 | |
debian/openjdk-8 | 8u432-b06-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-2769 is medium with a severity value of 5.3.
Java SE versions 7u221, 8u212, 11.0.3, and 12.0.1 are affected by CVE-2019-2769.
Yes, CVE-2019-2769 is easily exploitable by an unauthenticated attacker with network access.
To fix CVE-2019-2769, update to Java SE version 12.0.2+9-1 or later.
You can find more information about CVE-2019-2769 in the following references: [Oracle Security Advisory](http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html), [Ubuntu Security Notice 4080-1](https://usn.ubuntu.com/4080-1/), [Ubuntu Security Notice 4083-1](https://usn.ubuntu.com/4083-1/).