CVE-2020-2757
First published: Sun Apr 12 2020(Updated: )
A flaw was found in the Serialization component of OpenJDK. The invokeWriteObject() method of the ObjectStreamClass method failed to catch InstantiationError exception during object stream deserialization, which could cause an unexpected exception to be raised when processing an untrusted serialized input.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 |
| redhat/java | <1.7.0-openjdk-1:1.7.0.261-2.6.22.1.el6_10 | 1.7.0-openjdk-1:1.7.0.261-2.6.22.1.el6_10 |
| redhat/java | <1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el6_10 | 1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el6_10 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 |
| redhat/java | <1.7.0-openjdk-1:1.7.0.261-2.6.22.2.el7_8 | 1.7.0-openjdk-1:1.7.0.261-2.6.22.2.el7_8 |
| redhat/java | <11-openjdk-1:11.0.7.10-4.el7_8 | 11-openjdk-1:11.0.7.10-4.el7_8 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 |
| redhat/java | <1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el7 | 1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el7 |
| redhat/java | <11-openjdk-1:11.0.7.10-1.el8_1 | 11-openjdk-1:11.0.7.10-1.el8_1 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1.el8_2 | 1.8.0-ibm-1:1.8.0.6.10-1.el8_2 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 |
| redhat/java | <11-openjdk-1:11.0.7.10-1.el8_0 | 11-openjdk-1:11.0.7.10-1.el8_0 |
| debian/openjdk-11 | 11.0.24+8-2~deb11u1 11.0.25~5ea-1 | |
| debian/openjdk-8 | 8u422-b05-1 | |
| IBM Engineering Requirements Quality Assistant | <=All | |
| Oracle OpenJDK 1.8.0 | =1.7.0-update251 | |
| Oracle OpenJDK 1.8.0 | =1.8.0-update241 | |
| Oracle OpenJDK 1.8.0 | =11.0.6 | |
| Oracle OpenJDK 1.8.0 | =14.0.0 | |
| Oracle JRE | =1.7.0-update251 | |
| Oracle JRE | =1.8.0-update241 | |
| Oracle JRE | =11.0.6 | |
| Oracle JRE | =14.0.0 | |
| OpenJDK 8 | >=11<=11.0.6 | |
| OpenJDK 8 | >=13<=13.0.2 | |
| OpenJDK 8 | =7 | |
| OpenJDK 8 | =7-update1 | |
| OpenJDK 8 | =7-update10 | |
| OpenJDK 8 | =7-update101 | |
| OpenJDK 8 | =7-update11 | |
| OpenJDK 8 | =7-update111 | |
| OpenJDK 8 | =7-update121 | |
| OpenJDK 8 | =7-update13 | |
| OpenJDK 8 | =7-update131 | |
| OpenJDK 8 | =7-update141 | |
| OpenJDK 8 | =7-update15 | |
| OpenJDK 8 | =7-update151 | |
| OpenJDK 8 | =7-update161 | |
| OpenJDK 8 | =7-update17 | |
| OpenJDK 8 | =7-update171 | |
| OpenJDK 8 | =7-update181 | |
| OpenJDK 8 | =7-update191 | |
| OpenJDK 8 | =7-update2 | |
| OpenJDK 8 | =7-update201 | |
| OpenJDK 8 | =7-update21 | |
| OpenJDK 8 | =7-update211 | |
| OpenJDK 8 | =7-update221 | |
| OpenJDK 8 | =7-update231 | |
| OpenJDK 8 | =7-update241 | |
| OpenJDK 8 | =7-update25 | |
| OpenJDK 8 | =7-update251 | |
| OpenJDK 8 | =7-update3 | |
| OpenJDK 8 | =7-update4 | |
| OpenJDK 8 | =7-update40 | |
| OpenJDK 8 | =7-update45 | |
| OpenJDK 8 | =7-update5 | |
| OpenJDK 8 | =7-update51 | |
| OpenJDK 8 | =7-update55 | |
| OpenJDK 8 | =7-update6 | |
| OpenJDK 8 | =7-update60 | |
| OpenJDK 8 | =7-update65 | |
| OpenJDK 8 | =7-update67 | |
| OpenJDK 8 | =7-update7 | |
| OpenJDK 8 | =7-update72 | |
| OpenJDK 8 | =7-update76 | |
| OpenJDK 8 | =7-update80 | |
| OpenJDK 8 | =7-update85 | |
| OpenJDK 8 | =7-update9 | |
| OpenJDK 8 | =7-update91 | |
| OpenJDK 8 | =7-update95 | |
| OpenJDK 8 | =7-update97 | |
| OpenJDK 8 | =7-update99 | |
| OpenJDK 8 | =8 | |
| OpenJDK 8 | =8-update101 | |
| OpenJDK 8 | =8-update102 | |
| OpenJDK 8 | =8-update11 | |
| OpenJDK 8 | =8-update111 | |
| OpenJDK 8 | =8-update112 | |
| OpenJDK 8 | =8-update121 | |
| OpenJDK 8 | =8-update131 | |
| OpenJDK 8 | =8-update141 | |
| OpenJDK 8 | =8-update151 | |
| OpenJDK 8 | =8-update152 | |
| OpenJDK 8 | =8-update161 | |
| OpenJDK 8 | =8-update162 | |
| OpenJDK 8 | =8-update171 | |
| OpenJDK 8 | =8-update172 | |
| OpenJDK 8 | =8-update181 | |
| OpenJDK 8 | =8-update191 | |
| OpenJDK 8 | =8-update192 | |
| OpenJDK 8 | =8-update20 | |
| OpenJDK 8 | =8-update201 | |
| OpenJDK 8 | =8-update202 | |
| OpenJDK 8 | =8-update211 | |
| OpenJDK 8 | =8-update212 | |
| OpenJDK 8 | =8-update221 | |
| OpenJDK 8 | =8-update231 | |
| OpenJDK 8 | =8-update241 | |
| OpenJDK 8 | =8-update25 | |
| OpenJDK 8 | =8-update31 | |
| OpenJDK 8 | =8-update40 | |
| OpenJDK 8 | =8-update45 | |
| OpenJDK 8 | =8-update5 | |
| OpenJDK 8 | =8-update51 | |
| OpenJDK 8 | =8-update60 | |
| OpenJDK 8 | =8-update65 | |
| OpenJDK 8 | =8-update66 | |
| OpenJDK 8 | =8-update71 | |
| OpenJDK 8 | =8-update72 | |
| OpenJDK 8 | =8-update73 | |
| OpenJDK 8 | =8-update74 | |
| OpenJDK 8 | =8-update77 | |
| OpenJDK 8 | =8-update91 | |
| OpenJDK 8 | =8-update92 | |
| OpenJDK 8 | =14 | |
| NetApp 7-Mode Transition Tool | ||
| NetApp Active IQ Unified Manager | >=7.3 | |
| NetApp Active IQ Unified Manager | >=9.5 | |
| NetApp Cloud Backup | ||
| NetApp Cloud Secure Agent | ||
| NetApp E-Series Performance Analyzer | ||
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.2 | |
| NetApp E-Series SANtricity Web Services | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| NetApp E-Series SANtricity Unified Manager | ||
| NetApp SnapManager for SAP | ||
| NetApp SnapManager for Oracle | ||
| NetApp SteelStore Cloud Integrated Storage | ||
| NetApp StorageGrid | >=9.0.0<=9.0.4 | |
| NetApp StorageGrid | ||
| Fedora | =30 | |
| Fedora | =31 | |
| Fedora | =32 | |
| SUSE Linux | =15.1 | |
| SUSE Linux | =15.2 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.10 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Trellix ePolicy Orchestrator | >=5.9.0<5.10.0 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_1 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_2 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_3 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_4 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_5 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_6 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_7 | |
| Trellix ePolicy Orchestrator | =5.10.0-update_8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-2757 https://nvd.nist.gov/vuln/detail/CVE-2020-2757
- https://bugzilla.redhat.com/show_bug.cgi?id=1823216
- https://access.redhat.com/errata/RHSA-2020:1506
- https://access.redhat.com/errata/RHSA-2020:1508
- https://access.redhat.com/errata/RHSA-2020:2236
- https://access.redhat.com/errata/RHSA-2020:2239
- https://access.redhat.com/errata/RHSA-2020:1507
- https://access.redhat.com/errata/RHSA-2020:1509
- https://access.redhat.com/errata/RHSA-2020:1512
- https://access.redhat.com/errata/RHSA-2020:2237
- https://access.redhat.com/errata/RHSA-2020:2238
- https://access.redhat.com/errata/RHSA-2020:1514
- https://access.redhat.com/errata/RHSA-2020:1515
- https://access.redhat.com/errata/RHSA-2020:2241
- https://access.redhat.com/errata/RHSA-2020:1516
- https://access.redhat.com/errata/RHSA-2020:1517
- https://access.redhat.com/security/cve/cve-2020-2757
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.debian.org/security/2020/dsa-4662
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- https://usn.ubuntu.com/4337-1/
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- https://security.gentoo.org/glsa/202006-22
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://security.gentoo.org/glsa/202209-15
- https://launchpad.net/bugs/cve/CVE-2020-2757
- https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/19f4afec0d04
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/a75922cb4096
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/1a95d48e5ff1
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/179657
- https://www.ibm.com/support/pages/node/6398724 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2020-2757
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2757
- https://nvd.nist.gov/vuln/detail/CVE-2020-2757
- https://ubuntu.com/security/CVE-2020-2757
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2020-2757?
The severity of CVE-2020-2757 is low with a severity value of 3.7.
Which versions of Java SE are affected by CVE-2020-2757?
Java SE versions 7u251, 8u241, 11.0.6, and 14 are affected by CVE-2020-2757.
What is the vulnerability in Java SE related to CVE-2020-2757?
The vulnerability in Java SE related to CVE-2020-2757 is in the Serialization component.
How can an attacker exploit CVE-2020-2757?
The vulnerability CVE-2020-2757 is difficult to exploit and requires network access by an unauthenticated attacker.
How can I fix CVE-2020-2757?
To fix CVE-2020-2757, update your Java SE to version 7u251, 8u241, 11.0.6, or 14, depending on the affected version.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-2757
- agent/weakness
- agent/severity
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/author
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/ibm
- canonical/ibm engineering requirements quality assistant
- version/ibm engineering requirements quality assistant/all
- vendor/oracle
- canonical/oracle openjdk 1.8.0
- version/oracle openjdk 1.8.0/1.7.0-update251
- version/oracle openjdk 1.8.0/1.8.0-update241
- version/oracle openjdk 1.8.0/11.0.6
- version/oracle openjdk 1.8.0/14.0.0
- canonical/oracle jre
- version/oracle jre/1.7.0-update251
- version/oracle jre/1.8.0-update241
- version/oracle jre/11.0.6
- version/oracle jre/14.0.0
- canonical/openjdk 8
- version/openjdk 8/11
- version/openjdk 8/11.0.6
- version/openjdk 8/13
- version/openjdk 8/13.0.2
- version/openjdk 8/7
- version/openjdk 8/7-update1
- version/openjdk 8/7-update10
- version/openjdk 8/7-update101
- version/openjdk 8/7-update11
- version/openjdk 8/7-update111
- version/openjdk 8/7-update121
- version/openjdk 8/7-update13
- version/openjdk 8/7-update131
- version/openjdk 8/7-update141
- version/openjdk 8/7-update15
- version/openjdk 8/7-update151
- version/openjdk 8/7-update161
- version/openjdk 8/7-update17
- version/openjdk 8/7-update171
- version/openjdk 8/7-update181
- version/openjdk 8/7-update191
- version/openjdk 8/7-update2
- version/openjdk 8/7-update201
- version/openjdk 8/7-update21
- version/openjdk 8/7-update211
- version/openjdk 8/7-update221
- version/openjdk 8/7-update231
- version/openjdk 8/7-update241
- version/openjdk 8/7-update25
- version/openjdk 8/7-update251
- version/openjdk 8/7-update3
- version/openjdk 8/7-update4
- version/openjdk 8/7-update40
- version/openjdk 8/7-update45
- version/openjdk 8/7-update5
- version/openjdk 8/7-update51
- version/openjdk 8/7-update55
- version/openjdk 8/7-update6
- version/openjdk 8/7-update60
- version/openjdk 8/7-update65
- version/openjdk 8/7-update67
- version/openjdk 8/7-update7
- version/openjdk 8/7-update72
- version/openjdk 8/7-update76
- version/openjdk 8/7-update80
- version/openjdk 8/7-update85
- version/openjdk 8/7-update9
- version/openjdk 8/7-update91
- version/openjdk 8/7-update95
- version/openjdk 8/7-update97
- version/openjdk 8/7-update99
- version/openjdk 8/8
- version/openjdk 8/8-update101
- version/openjdk 8/8-update102
- version/openjdk 8/8-update11
- version/openjdk 8/8-update111
- version/openjdk 8/8-update112
- version/openjdk 8/8-update121
- version/openjdk 8/8-update131
- version/openjdk 8/8-update141
- version/openjdk 8/8-update151
- version/openjdk 8/8-update152
- version/openjdk 8/8-update161
- version/openjdk 8/8-update162
- version/openjdk 8/8-update171
- version/openjdk 8/8-update172
- version/openjdk 8/8-update181
- version/openjdk 8/8-update191
- version/openjdk 8/8-update192
- version/openjdk 8/8-update20
- version/openjdk 8/8-update201
- version/openjdk 8/8-update202
- version/openjdk 8/8-update211
- version/openjdk 8/8-update212
- version/openjdk 8/8-update221
- version/openjdk 8/8-update231
- version/openjdk 8/8-update241
- version/openjdk 8/8-update25
- version/openjdk 8/8-update31
- version/openjdk 8/8-update40
- version/openjdk 8/8-update45
- version/openjdk 8/8-update5
- version/openjdk 8/8-update51
- version/openjdk 8/8-update60
- version/openjdk 8/8-update65
- version/openjdk 8/8-update66
- version/openjdk 8/8-update71
- version/openjdk 8/8-update72
- version/openjdk 8/8-update73
- version/openjdk 8/8-update74
- version/openjdk 8/8-update77
- version/openjdk 8/8-update91
- version/openjdk 8/8-update92
- version/openjdk 8/14
- vendor/netapp
- canonical/netapp 7-mode transition tool
- canonical/netapp active iq unified manager
- version/netapp active iq unified manager/7.3
- version/netapp active iq unified manager/9.5
- canonical/netapp cloud backup
- canonical/netapp cloud secure agent
- canonical/netapp e-series performance analyzer
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.70.2
- canonical/netapp e-series santricity web services
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- canonical/netapp e-series santricity unified manager
- canonical/netapp snapmanager for sap
- canonical/netapp snapmanager for oracle
- canonical/netapp steelstore cloud integrated storage
- canonical/netapp storagegrid
- version/netapp storagegrid/9.0.0
- version/netapp storagegrid/9.0.4
- vendor/fedoraproject
- canonical/fedora
- version/fedora/30
- version/fedora/31
- version/fedora/32
- vendor/opensuse
- canonical/suse linux
- version/suse linux/15.1
- version/suse linux/15.2
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.10
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- vendor/mcafee
- canonical/trellix epolicy orchestrator
- version/trellix epolicy orchestrator/5.9.0
- version/trellix epolicy orchestrator/5.10.0-update_1
- version/trellix epolicy orchestrator/5.10.0-update_2
- version/trellix epolicy orchestrator/5.10.0-update_3
- version/trellix epolicy orchestrator/5.10.0-update_4
- version/trellix epolicy orchestrator/5.10.0-update_5
- version/trellix epolicy orchestrator/5.10.0-update_6
- version/trellix epolicy orchestrator/5.10.0-update_7
- version/trellix epolicy orchestrator/5.10.0-update_8