CVE-2020-2754
First published: Sun Apr 12 2020(Updated: )
A flaw was found in the Nashorn JavaScript engine in the Scripting component of OpenJDK. Processing of the forward references prior to checking for regular expression syntax errors could cause an unexpected exception to be raised when processing a specially crafted regular expression.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 |
| redhat/java | <11-openjdk-1:11.0.7.10-4.el7_8 | 11-openjdk-1:11.0.7.10-4.el7_8 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 |
| redhat/java | <11-openjdk-1:11.0.7.10-1.el8_1 | 11-openjdk-1:11.0.7.10-1.el8_1 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1.el8_2 | 1.8.0-ibm-1:1.8.0.6.10-1.el8_2 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 |
| redhat/java | <11-openjdk-1:11.0.7.10-1.el8_0 | 11-openjdk-1:11.0.7.10-1.el8_0 |
| debian/openjdk-11 | 11.0.24+8-2~deb11u1 11.0.25~5ea-1 | |
| debian/openjdk-8 | 8u422-b05-1 | |
| IBM Engineering Requirements Quality Assistant | <=All | |
| Oracle OpenJDK 1.8.0 | =1.8.0-update241 | |
| Oracle OpenJDK 1.8.0 | =11.0.6 | |
| Oracle OpenJDK 1.8.0 | =14.0.0 | |
| Oracle JRE | =1.8.0-update241 | |
| Oracle JRE | =11.0.6 | |
| Oracle JRE | =14.0.0 | |
| OpenJDK 8 | >=11<=11.0.6 | |
| OpenJDK 8 | >=13<=13.0.2 | |
| OpenJDK 8 | =7 | |
| OpenJDK 8 | =7-update1 | |
| OpenJDK 8 | =7-update10 | |
| OpenJDK 8 | =7-update101 | |
| OpenJDK 8 | =7-update11 | |
| OpenJDK 8 | =7-update111 | |
| OpenJDK 8 | =7-update121 | |
| OpenJDK 8 | =7-update13 | |
| OpenJDK 8 | =7-update131 | |
| OpenJDK 8 | =7-update141 | |
| OpenJDK 8 | =7-update15 | |
| OpenJDK 8 | =7-update151 | |
| OpenJDK 8 | =7-update161 | |
| OpenJDK 8 | =7-update17 | |
| OpenJDK 8 | =7-update171 | |
| OpenJDK 8 | =7-update181 | |
| OpenJDK 8 | =7-update191 | |
| OpenJDK 8 | =7-update2 | |
| OpenJDK 8 | =7-update201 | |
| OpenJDK 8 | =7-update21 | |
| OpenJDK 8 | =7-update211 | |
| OpenJDK 8 | =7-update221 | |
| OpenJDK 8 | =7-update231 | |
| OpenJDK 8 | =7-update241 | |
| OpenJDK 8 | =7-update25 | |
| OpenJDK 8 | =7-update251 | |
| OpenJDK 8 | =7-update3 | |
| OpenJDK 8 | =7-update4 | |
| OpenJDK 8 | =7-update40 | |
| OpenJDK 8 | =7-update45 | |
| OpenJDK 8 | =7-update5 | |
| OpenJDK 8 | =7-update51 | |
| OpenJDK 8 | =7-update55 | |
| OpenJDK 8 | =7-update6 | |
| OpenJDK 8 | =7-update60 | |
| OpenJDK 8 | =7-update65 | |
| OpenJDK 8 | =7-update67 | |
| OpenJDK 8 | =7-update7 | |
| OpenJDK 8 | =7-update72 | |
| OpenJDK 8 | =7-update76 | |
| OpenJDK 8 | =7-update80 | |
| OpenJDK 8 | =7-update85 | |
| OpenJDK 8 | =7-update9 | |
| OpenJDK 8 | =7-update91 | |
| OpenJDK 8 | =7-update95 | |
| OpenJDK 8 | =7-update97 | |
| OpenJDK 8 | =7-update99 | |
| OpenJDK 8 | =8 | |
| OpenJDK 8 | =8-update101 | |
| OpenJDK 8 | =8-update102 | |
| OpenJDK 8 | =8-update11 | |
| OpenJDK 8 | =8-update111 | |
| OpenJDK 8 | =8-update112 | |
| OpenJDK 8 | =8-update121 | |
| OpenJDK 8 | =8-update131 | |
| OpenJDK 8 | =8-update141 | |
| OpenJDK 8 | =8-update151 | |
| OpenJDK 8 | =8-update152 | |
| OpenJDK 8 | =8-update161 | |
| OpenJDK 8 | =8-update162 | |
| OpenJDK 8 | =8-update171 | |
| OpenJDK 8 | =8-update172 | |
| OpenJDK 8 | =8-update181 | |
| OpenJDK 8 | =8-update191 | |
| OpenJDK 8 | =8-update192 | |
| OpenJDK 8 | =8-update20 | |
| OpenJDK 8 | =8-update201 | |
| OpenJDK 8 | =8-update202 | |
| OpenJDK 8 | =8-update211 | |
| OpenJDK 8 | =8-update212 | |
| OpenJDK 8 | =8-update221 | |
| OpenJDK 8 | =8-update231 | |
| OpenJDK 8 | =8-update241 | |
| OpenJDK 8 | =8-update25 | |
| OpenJDK 8 | =8-update31 | |
| OpenJDK 8 | =8-update40 | |
| OpenJDK 8 | =8-update45 | |
| OpenJDK 8 | =8-update5 | |
| OpenJDK 8 | =8-update51 | |
| OpenJDK 8 | =8-update60 | |
| OpenJDK 8 | =8-update65 | |
| OpenJDK 8 | =8-update66 | |
| OpenJDK 8 | =8-update71 | |
| OpenJDK 8 | =8-update72 | |
| OpenJDK 8 | =8-update73 | |
| OpenJDK 8 | =8-update74 | |
| OpenJDK 8 | =8-update77 | |
| OpenJDK 8 | =8-update91 | |
| OpenJDK 8 | =8-update92 | |
| OpenJDK 8 | =14 | |
| NetApp Active IQ Unified Manager | >=7.3 | |
| NetApp Active IQ Unified Manager | >=9.5 | |
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.60.1 | |
| NetApp SnapManager for SAP | ||
| NetApp SnapManager for Oracle | ||
| NetApp StorageGrid | >=9.0.0<=9.0.4 | |
| NetApp StorageGrid | ||
| Fedora | =30 | |
| Fedora | =31 | |
| Fedora | =32 | |
| SUSE Linux | =15.1 | |
| SUSE Linux | =15.2 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.10 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Trellix ePolicy Orchestrator | =5.9.0 | |
| Trellix ePolicy Orchestrator | =5.9.1 | |
| Trellix ePolicy Orchestrator | =5.10.0 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_1 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_2 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_3 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_4 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_5 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_6 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_7 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-2754 https://nvd.nist.gov/vuln/detail/CVE-2020-2754
- https://bugzilla.redhat.com/show_bug.cgi?id=1823199
- https://access.redhat.com/errata/RHSA-2020:1506
- https://access.redhat.com/errata/RHSA-2020:2239
- https://access.redhat.com/errata/RHSA-2020:1509
- https://access.redhat.com/errata/RHSA-2020:1512
- https://access.redhat.com/errata/RHSA-2020:2237
- https://access.redhat.com/errata/RHSA-2020:1514
- https://access.redhat.com/errata/RHSA-2020:1515
- https://access.redhat.com/errata/RHSA-2020:2241
- https://access.redhat.com/errata/RHSA-2020:1516
- https://access.redhat.com/errata/RHSA-2020:1517
- https://access.redhat.com/security/cve/cve-2020-2754
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.debian.org/security/2020/dsa-4662
- https://usn.ubuntu.com/4337-1/
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://launchpad.net/bugs/cve/CVE-2020-2754
- https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/5006fd8e5864
- http://hg.openjdk.java.net/jdk8u/jdk8u/nashorn/rev/2e03a91e04b9
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/179654
- https://www.ibm.com/support/pages/node/6398724 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2020-2754
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2754
- https://nvd.nist.gov/vuln/detail/CVE-2020-2754
- https://ubuntu.com/security/CVE-2020-2754
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2020-2754?
CVE-2020-2754 is classified as a medium severity vulnerability.
How do I fix CVE-2020-2754?
To fix CVE-2020-2754, update to the recommended versions of OpenJDK provided in the advisory.
What is the impact of CVE-2020-2754?
CVE-2020-2754 can lead to unexpected exceptions during the processing of specially crafted regular expressions.
Which versions are affected by CVE-2020-2754?
CVE-2020-2754 affects multiple versions of OpenJDK before the fixed releases.
Is CVE-2020-2754 present in Oracle JDK?
Yes, CVE-2020-2754 is also applicable to certain versions of Oracle JDK and JRE.
- collector/redhat-cve
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-2754
- agent/type
- agent/weakness
- agent/severity
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/author
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm engineering requirements quality assistant
- version/ibm engineering requirements quality assistant/all
- vendor/oracle
- canonical/oracle openjdk 1.8.0
- version/oracle openjdk 1.8.0/1.8.0-update241
- version/oracle openjdk 1.8.0/11.0.6
- version/oracle openjdk 1.8.0/14.0.0
- canonical/oracle jre
- version/oracle jre/1.8.0-update241
- version/oracle jre/11.0.6
- version/oracle jre/14.0.0
- canonical/openjdk 8
- version/openjdk 8/11
- version/openjdk 8/11.0.6
- version/openjdk 8/13
- version/openjdk 8/13.0.2
- version/openjdk 8/7
- version/openjdk 8/7-update1
- version/openjdk 8/7-update10
- version/openjdk 8/7-update101
- version/openjdk 8/7-update11
- version/openjdk 8/7-update111
- version/openjdk 8/7-update121
- version/openjdk 8/7-update13
- version/openjdk 8/7-update131
- version/openjdk 8/7-update141
- version/openjdk 8/7-update15
- version/openjdk 8/7-update151
- version/openjdk 8/7-update161
- version/openjdk 8/7-update17
- version/openjdk 8/7-update171
- version/openjdk 8/7-update181
- version/openjdk 8/7-update191
- version/openjdk 8/7-update2
- version/openjdk 8/7-update201
- version/openjdk 8/7-update21
- version/openjdk 8/7-update211
- version/openjdk 8/7-update221
- version/openjdk 8/7-update231
- version/openjdk 8/7-update241
- version/openjdk 8/7-update25
- version/openjdk 8/7-update251
- version/openjdk 8/7-update3
- version/openjdk 8/7-update4
- version/openjdk 8/7-update40
- version/openjdk 8/7-update45
- version/openjdk 8/7-update5
- version/openjdk 8/7-update51
- version/openjdk 8/7-update55
- version/openjdk 8/7-update6
- version/openjdk 8/7-update60
- version/openjdk 8/7-update65
- version/openjdk 8/7-update67
- version/openjdk 8/7-update7
- version/openjdk 8/7-update72
- version/openjdk 8/7-update76
- version/openjdk 8/7-update80
- version/openjdk 8/7-update85
- version/openjdk 8/7-update9
- version/openjdk 8/7-update91
- version/openjdk 8/7-update95
- version/openjdk 8/7-update97
- version/openjdk 8/7-update99
- version/openjdk 8/8
- version/openjdk 8/8-update101
- version/openjdk 8/8-update102
- version/openjdk 8/8-update11
- version/openjdk 8/8-update111
- version/openjdk 8/8-update112
- version/openjdk 8/8-update121
- version/openjdk 8/8-update131
- version/openjdk 8/8-update141
- version/openjdk 8/8-update151
- version/openjdk 8/8-update152
- version/openjdk 8/8-update161
- version/openjdk 8/8-update162
- version/openjdk 8/8-update171
- version/openjdk 8/8-update172
- version/openjdk 8/8-update181
- version/openjdk 8/8-update191
- version/openjdk 8/8-update192
- version/openjdk 8/8-update20
- version/openjdk 8/8-update201
- version/openjdk 8/8-update202
- version/openjdk 8/8-update211
- version/openjdk 8/8-update212
- version/openjdk 8/8-update221
- version/openjdk 8/8-update231
- version/openjdk 8/8-update241
- version/openjdk 8/8-update25
- version/openjdk 8/8-update31
- version/openjdk 8/8-update40
- version/openjdk 8/8-update45
- version/openjdk 8/8-update5
- version/openjdk 8/8-update51
- version/openjdk 8/8-update60
- version/openjdk 8/8-update65
- version/openjdk 8/8-update66
- version/openjdk 8/8-update71
- version/openjdk 8/8-update72
- version/openjdk 8/8-update73
- version/openjdk 8/8-update74
- version/openjdk 8/8-update77
- version/openjdk 8/8-update91
- version/openjdk 8/8-update92
- version/openjdk 8/14
- vendor/netapp
- canonical/netapp active iq unified manager
- version/netapp active iq unified manager/7.3
- version/netapp active iq unified manager/9.5
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.60.1
- canonical/netapp snapmanager for sap
- canonical/netapp snapmanager for oracle
- canonical/netapp storagegrid
- version/netapp storagegrid/9.0.0
- version/netapp storagegrid/9.0.4
- vendor/fedoraproject
- canonical/fedora
- version/fedora/30
- version/fedora/31
- version/fedora/32
- vendor/opensuse
- canonical/suse linux
- version/suse linux/15.1
- version/suse linux/15.2
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.10
- vendor/debian
- canonical/debian
- version/debian/9.0
- version/debian/10.0
- vendor/mcafee
- canonical/trellix epolicy orchestrator
- version/trellix epolicy orchestrator/5.9.0
- version/trellix epolicy orchestrator/5.9.1
- version/trellix epolicy orchestrator/5.10.0
- version/trellix epolicy orchestrator/5.10.0-update_1
- version/trellix epolicy orchestrator/5.10.0-update_2
- version/trellix epolicy orchestrator/5.10.0-update_3
- version/trellix epolicy orchestrator/5.10.0-update_4
- version/trellix epolicy orchestrator/5.10.0-update_5
- version/trellix epolicy orchestrator/5.10.0-update_6
- version/trellix epolicy orchestrator/5.10.0-update_7
- version/trellix epolicy orchestrator/5.10.0-update_8