First published: Tue Jul 14 2020(Updated: )
A flaw was found in the way the XMLSchemaValidator class in the JAXP component of OpenJDK enforced the "use-grammar-pool-only" feature. A specially-crafted XML file could possibly use this flaw to manipulate with the validation process in certain cases.
Credit: secalert_us@oracle.com secalert_us@oracle.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/java | <1.8.0-openjdk-1:1.8.0.262.b10-0.el6_10 | 1.8.0-openjdk-1:1.8.0.262.b10-0.el6_10 |
redhat/java | <1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el6_10 | 1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el6_10 |
redhat/java | <1.8.0-openjdk-1:1.8.0.262.b10-0.el7_8 | 1.8.0-openjdk-1:1.8.0.262.b10-0.el7_8 |
redhat/java | <11-openjdk-1:11.0.8.10-0.el7_8 | 11-openjdk-1:11.0.8.10-0.el7_8 |
redhat/java | <1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el7 | 1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el7 |
redhat/java | <1.8.0-ibm-1:1.8.0.6.20-1jpp.1.el7 | 1.8.0-ibm-1:1.8.0.6.20-1jpp.1.el7 |
redhat/java | <11-openjdk-1:11.0.8.10-0.el8_2 | 11-openjdk-1:11.0.8.10-0.el8_2 |
redhat/java | <1.8.0-openjdk-1:1.8.0.262.b10-0.el8_2 | 1.8.0-openjdk-1:1.8.0.262.b10-0.el8_2 |
redhat/java | <1.8.0-ibm-1:1.8.0.6.15-1.el8_2 | 1.8.0-ibm-1:1.8.0.6.15-1.el8_2 |
redhat/java | <11-openjdk-1:11.0.8.10-0.el8_0 | 11-openjdk-1:11.0.8.10-0.el8_0 |
redhat/java | <1.8.0-openjdk-1:1.8.0.262.b10-0.el8_0 | 1.8.0-openjdk-1:1.8.0.262.b10-0.el8_0 |
redhat/java | <11-openjdk-1:11.0.8.10-0.el8_1 | 11-openjdk-1:11.0.8.10-0.el8_1 |
redhat/java | <1.8.0-openjdk-1:1.8.0.262.b10-0.el8_1 | 1.8.0-openjdk-1:1.8.0.262.b10-0.el8_1 |
Oracle JDK | =1.7.0-update261 | |
Oracle JDK | =1.8.0-update251 | |
Oracle JDK | =11.0.7 | |
Oracle JDK | =14.0.1 | |
Oracle JRE | =1.8.0-update251 | |
Fedoraproject Fedora | =31 | |
Fedoraproject Fedora | =32 | |
McAfee ePolicy Orchestrator | =5.9.0 | |
McAfee ePolicy Orchestrator | =5.9.1 | |
McAfee ePolicy Orchestrator | =5.10.0 | |
McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
McAfee ePolicy Orchestrator | =5.10.0-update_5 | |
McAfee ePolicy Orchestrator | =5.10.0-update_6 | |
McAfee ePolicy Orchestrator | =5.10.0-update_7 | |
McAfee ePolicy Orchestrator | =5.10.0-update_8 | |
openSUSE Leap | =15.1 | |
openSUSE Leap | =15.2 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =20.04 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
NetApp 7-Mode Transition Tool | ||
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Netapp Active Iq Unified Manager Windows | ||
Netapp Cloud Backup | ||
Netapp Cloud Secure Agent | ||
Netapp E-series Performance Analyzer | ||
NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.2 | |
Netapp E-series Santricity Storage Manager | ||
Netapp E-series Santricity Web Services Web Services Proxy | ||
NetApp OnCommand Insight | ||
NetApp OnCommand Unified Manager Core Package | ||
NetApp OnCommand Workflow Automation | ||
Netapp Plug-in For Symantec Netbackup | ||
Netapp Santricity Unified Manager | ||
Netapp Snapmanager Oracle | ||
Netapp Snapmanager Sap | ||
Netapp Steelstore Cloud Integrated Storage | ||
debian/openjdk-11 | 11.0.24+8-2~deb11u1 11.0.25+9-1~deb11u1 11.0.26~6ea-1 | |
debian/openjdk-8 | 8u432-b06-2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-14621 is an unspecified vulnerability in Java SE related to the JAXP component.
Java SE versions 7u261, 8u251, 11.0.7, and 14.0.1 are affected by CVE-2020-14621.
CVE-2020-14621 has a severity level of 5.3 (medium).
Yes, CVE-2020-14621 is an easily exploitable vulnerability.
To fix CVE-2020-14621, you should update to the patched versions of Java SE or Java SE Embedded provided by Oracle.