CVE-2020-2590: Input Validation
First published: Mon Jan 13 2020(Updated: )
A flaw was found in the way the GssKrb5Base class in the Security component of OpenJDK validated properties of SASL messages included in Kerberos GSSAPI, omitting required token checks. An remote attacker with ability to manipulate network traffic between server and client using Kerberos GSSAPI could possibly perform message modification that would not be detected during message decoding.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/java | <1.8.0-openjdk-1:1.8.0.242.b07-1.el6_10 | 1.8.0-openjdk-1:1.8.0.242.b07-1.el6_10 |
| redhat/java | <1.7.0-openjdk-1:1.7.0.251-2.6.21.0.el6_10 | 1.7.0-openjdk-1:1.7.0.251-2.6.21.0.el6_10 |
| redhat/java | <1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el6_10 | 1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el6_10 |
| redhat/java | <11-openjdk-1:11.0.6.10-1.el7_7 | 11-openjdk-1:11.0.6.10-1.el7_7 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.242.b08-0.el7_7 | 1.8.0-openjdk-1:1.8.0.242.b08-0.el7_7 |
| redhat/java | <1.7.0-openjdk-1:1.7.0.251-2.6.21.0.el7_7 | 1.7.0-openjdk-1:1.7.0.251-2.6.21.0.el7_7 |
| redhat/java | <1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el7 | 1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el7 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.20-1jpp.1.el7 | 1.8.0-ibm-1:1.8.0.6.20-1jpp.1.el7 |
| redhat/java | <11-openjdk-1:11.0.6.10-0.el8_1 | 11-openjdk-1:11.0.6.10-0.el8_1 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.242.b08-0.el8_1 | 1.8.0-openjdk-1:1.8.0.242.b08-0.el8_1 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.15-1.el8_2 | 1.8.0-ibm-1:1.8.0.6.15-1.el8_2 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.242.b08-0.el8_0 | 1.8.0-openjdk-1:1.8.0.242.b08-0.el8_0 |
| redhat/java | <11-openjdk-1:11.0.6.10-0.el8_0 | 11-openjdk-1:11.0.6.10-0.el8_0 |
| Oracle JDK | =1.7.0-update241 | |
| Oracle JDK | =1.8.0-update231 | |
| Oracle JDK | =11.0.5 | |
| Oracle JDK | =13.0.1 | |
| Oracle JRE | =1.7.0-update_241 | |
| Oracle JRE | =1.8.0-update_231 | |
| Oracle JRE | =11.0.5 | |
| Oracle JRE | =13.0.1 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Eus | =7.7 | |
| Redhat Enterprise Linux Eus | =8.1 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.7 | |
| Redhat Enterprise Linux Tus | =7.7 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Oracle OpenJDK | =7 | |
| Oracle OpenJDK | =7-update241 | |
| Oracle OpenJDK | =7-update80 | |
| Oracle OpenJDK | =7-update85 | |
| Oracle OpenJDK | =8 | |
| Oracle OpenJDK | =8-update102 | |
| Oracle OpenJDK | =8-update112 | |
| Oracle OpenJDK | =8-update152 | |
| Oracle OpenJDK | =8-update162 | |
| Oracle OpenJDK | =8-update172 | |
| Oracle OpenJDK | =8-update192 | |
| Oracle OpenJDK | =8-update20 | |
| Oracle OpenJDK | =8-update202 | |
| Oracle OpenJDK | =8-update212 | |
| Oracle OpenJDK | =8-update222 | |
| Oracle OpenJDK | =8-update232 | |
| Oracle OpenJDK | =8-update40 | |
| Oracle OpenJDK | =8-update60 | |
| Oracle OpenJDK | =8-update66 | |
| Oracle OpenJDK | =8-update72 | |
| Oracle OpenJDK | =8-update92 | |
| Oracle OpenJDK | =11 | |
| Oracle OpenJDK | =11.0.1 | |
| Oracle OpenJDK | =11.0.2 | |
| Oracle OpenJDK | =11.0.3 | |
| Oracle OpenJDK | =11.0.4 | |
| Oracle OpenJDK | =11.0.5 | |
| Oracle OpenJDK | =13 | |
| Oracle OpenJDK | =13.0.1 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| openSUSE Leap | =15.1 | |
| McAfee ePolicy Orchestrator | =5.9.0 | |
| McAfee ePolicy Orchestrator | =5.9.1 | |
| McAfee ePolicy Orchestrator | =5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_5 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_6 | |
| Netapp Active Iq Unified Manager Windows | >=7.3 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | >=9.5 | |
| Netapp E-series Performance Analyzer | ||
| Netapp E-series Santricity Management Vmware Vcenter | ||
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.60.3 | |
| Netapp E-series Santricity Storage Manager | ||
| Netapp E-series Santricity Web Services Web Services Proxy | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| Netapp Santricity Unified Manager | ||
| Netapp Steelstore Cloud Integrated Storage | ||
| debian/openjdk-11 | 11.0.24+8-2~deb11u1 11.0.25~5ea-1 | |
| debian/openjdk-8 | 8u422-b05-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-2590 https://nvd.nist.gov/vuln/detail/CVE-2020-2590
- https://bugzilla.redhat.com/show_bug.cgi?id=1790556
- https://access.redhat.com/errata/RHSA-2020:0157
- https://access.redhat.com/errata/RHSA-2020:0632
- https://access.redhat.com/errata/RHSA-2020:3387
- https://access.redhat.com/errata/RHSA-2020:0122
- https://access.redhat.com/errata/RHSA-2020:0196
- https://access.redhat.com/errata/RHSA-2020:0541
- https://access.redhat.com/errata/RHSA-2020:3388
- https://access.redhat.com/errata/RHSA-2020:5585
- https://access.redhat.com/errata/RHSA-2020:0128
- https://access.redhat.com/errata/RHSA-2020:0202
- https://access.redhat.com/errata/RHSA-2020:3386
- https://access.redhat.com/errata/RHSA-2020:0231
- https://access.redhat.com/errata/RHSA-2020:0232
- https://access.redhat.com/security/cve/cve-2020-2590
- https://www.oracle.com/security-alerts/cpujan2020.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/7ca373fa432a
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/2c2aa634c373
- http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/87d56a90dc49
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://lists.debian.org/debian-lts-announce/2020/02/msg00034.html
- https://seclists.org/bugtraq/2020/Feb/22
- https://seclists.org/bugtraq/2020/Jan/24
- https://security.gentoo.org/glsa/202101-19
- https://security.netapp.com/advisory/ntap-20200122-0003/
- https://usn.ubuntu.com/4257-1/
- https://www.debian.org/security/2020/dsa-4605
- https://www.debian.org/security/2020/dsa-4621
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10315
- https://launchpad.net/bugs/cve/CVE-2020-2590
- https://security-tracker.debian.org/tracker/CVE-2020-2590
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2590
- https://nvd.nist.gov/vuln/detail/CVE-2020-2590
- https://ubuntu.com/security/CVE-2020-2590
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-2590
- agent/remedy
- agent/weakness
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/description
- collector/launchpad-cve
- source/Launchpad
- agent/references
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.7.0-update241
- version/oracle jdk/1.8.0-update231
- version/oracle jdk/11.0.5
- version/oracle jdk/13.0.1
- canonical/oracle jre
- version/oracle jre/1.7.0-update_241
- version/oracle jre/1.8.0-update_231
- version/oracle jre/11.0.5
- version/oracle jre/13.0.1
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/7.7
- version/redhat enterprise linux eus/8.1
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.7
- canonical/redhat enterprise linux tus
- version/redhat enterprise linux tus/7.7
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- canonical/oracle openjdk
- version/oracle openjdk/7
- version/oracle openjdk/7-update241
- version/oracle openjdk/7-update80
- version/oracle openjdk/7-update85
- version/oracle openjdk/8
- version/oracle openjdk/8-update102
- version/oracle openjdk/8-update112
- version/oracle openjdk/8-update152
- version/oracle openjdk/8-update162
- version/oracle openjdk/8-update172
- version/oracle openjdk/8-update192
- version/oracle openjdk/8-update20
- version/oracle openjdk/8-update202
- version/oracle openjdk/8-update212
- version/oracle openjdk/8-update222
- version/oracle openjdk/8-update232
- version/oracle openjdk/8-update40
- version/oracle openjdk/8-update60
- version/oracle openjdk/8-update66
- version/oracle openjdk/8-update72
- version/oracle openjdk/8-update92
- version/oracle openjdk/11
- version/oracle openjdk/11.0.1
- version/oracle openjdk/11.0.2
- version/oracle openjdk/11.0.3
- version/oracle openjdk/11.0.4
- version/oracle openjdk/11.0.5
- version/oracle openjdk/13
- version/oracle openjdk/13.0.1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.10
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/mcafee
- canonical/mcafee epolicy orchestrator
- version/mcafee epolicy orchestrator/5.9.0
- version/mcafee epolicy orchestrator/5.9.1
- version/mcafee epolicy orchestrator/5.10.0
- version/mcafee epolicy orchestrator/5.10.0-update_1
- version/mcafee epolicy orchestrator/5.10.0-update_2
- version/mcafee epolicy orchestrator/5.10.0-update_3
- version/mcafee epolicy orchestrator/5.10.0-update_4
- version/mcafee epolicy orchestrator/5.10.0-update_5
- version/mcafee epolicy orchestrator/5.10.0-update_6
- vendor/netapp
- canonical/netapp active iq unified manager windows
- version/netapp active iq unified manager windows/7.3
- canonical/netapp active iq unified manager vmware vsphere
- version/netapp active iq unified manager vmware vsphere/9.5
- canonical/netapp e-series performance analyzer
- canonical/netapp e-series santricity management vmware vcenter
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.60.3
- canonical/netapp e-series santricity storage manager
- canonical/netapp e-series santricity web services web services proxy
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- canonical/netapp santricity unified manager
- canonical/netapp steelstore cloud integrated storage
- package-manager/debian