CVE-2020-2803: Buffer Overflow
First published: Tue Apr 14 2020(Updated: )
A flaw was found in the boundary checks in the java.nio buffer classes in the Libraries component of OpenJDK, where it is bypassed in certain cases. This flaw allows an untrusted Java application or applet o bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 |
| redhat/java | <1.7.0-openjdk-1:1.7.0.261-2.6.22.1.el6_10 | 1.7.0-openjdk-1:1.7.0.261-2.6.22.1.el6_10 |
| redhat/java | <1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el6_10 | 1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el6_10 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 |
| redhat/java | <1.7.0-openjdk-1:1.7.0.261-2.6.22.2.el7_8 | 1.7.0-openjdk-1:1.7.0.261-2.6.22.2.el7_8 |
| redhat/java | <11-openjdk-1:11.0.7.10-4.el7_8 | 11-openjdk-1:11.0.7.10-4.el7_8 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 |
| redhat/java | <1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el7 | 1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el7 |
| redhat/java | <11-openjdk-1:11.0.7.10-1.el8_1 | 11-openjdk-1:11.0.7.10-1.el8_1 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1.el8_2 | 1.8.0-ibm-1:1.8.0.6.10-1.el8_2 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 |
| redhat/java | <11-openjdk-1:11.0.7.10-1.el8_0 | 11-openjdk-1:11.0.7.10-1.el8_0 |
| Oracle JDK | =1.7.0-update251 | |
| Oracle JDK | =1.8.0-update241 | |
| Oracle JDK | =11.0.6 | |
| Oracle JDK | =14.0.0 | |
| Oracle JRE | =1.7.0-update_251 | |
| Oracle JRE | =1.8.0-update_241 | |
| Oracle JRE | =11.0.6 | |
| Oracle JRE | =14.0.0 | |
| Oracle OpenJDK | >=11<=11.0.6 | |
| Oracle OpenJDK | >=13<=13.0.2 | |
| Oracle OpenJDK | =7 | |
| Oracle OpenJDK | =7-update1 | |
| Oracle OpenJDK | =7-update10 | |
| Oracle OpenJDK | =7-update101 | |
| Oracle OpenJDK | =7-update11 | |
| Oracle OpenJDK | =7-update111 | |
| Oracle OpenJDK | =7-update121 | |
| Oracle OpenJDK | =7-update13 | |
| Oracle OpenJDK | =7-update131 | |
| Oracle OpenJDK | =7-update141 | |
| Oracle OpenJDK | =7-update15 | |
| Oracle OpenJDK | =7-update151 | |
| Oracle OpenJDK | =7-update161 | |
| Oracle OpenJDK | =7-update17 | |
| Oracle OpenJDK | =7-update171 | |
| Oracle OpenJDK | =7-update181 | |
| Oracle OpenJDK | =7-update191 | |
| Oracle OpenJDK | =7-update2 | |
| Oracle OpenJDK | =7-update201 | |
| Oracle OpenJDK | =7-update21 | |
| Oracle OpenJDK | =7-update211 | |
| Oracle OpenJDK | =7-update221 | |
| Oracle OpenJDK | =7-update231 | |
| Oracle OpenJDK | =7-update241 | |
| Oracle OpenJDK | =7-update25 | |
| Oracle OpenJDK | =7-update251 | |
| Oracle OpenJDK | =7-update3 | |
| Oracle OpenJDK | =7-update4 | |
| Oracle OpenJDK | =7-update40 | |
| Oracle OpenJDK | =7-update45 | |
| Oracle OpenJDK | =7-update5 | |
| Oracle OpenJDK | =7-update51 | |
| Oracle OpenJDK | =7-update55 | |
| Oracle OpenJDK | =7-update6 | |
| Oracle OpenJDK | =7-update60 | |
| Oracle OpenJDK | =7-update65 | |
| Oracle OpenJDK | =7-update67 | |
| Oracle OpenJDK | =7-update7 | |
| Oracle OpenJDK | =7-update72 | |
| Oracle OpenJDK | =7-update76 | |
| Oracle OpenJDK | =7-update80 | |
| Oracle OpenJDK | =7-update85 | |
| Oracle OpenJDK | =7-update9 | |
| Oracle OpenJDK | =7-update91 | |
| Oracle OpenJDK | =7-update95 | |
| Oracle OpenJDK | =7-update97 | |
| Oracle OpenJDK | =7-update99 | |
| Oracle OpenJDK | =8 | |
| Oracle OpenJDK | =8-update101 | |
| Oracle OpenJDK | =8-update102 | |
| Oracle OpenJDK | =8-update11 | |
| Oracle OpenJDK | =8-update111 | |
| Oracle OpenJDK | =8-update112 | |
| Oracle OpenJDK | =8-update121 | |
| Oracle OpenJDK | =8-update131 | |
| Oracle OpenJDK | =8-update141 | |
| Oracle OpenJDK | =8-update151 | |
| Oracle OpenJDK | =8-update152 | |
| Oracle OpenJDK | =8-update161 | |
| Oracle OpenJDK | =8-update162 | |
| Oracle OpenJDK | =8-update171 | |
| Oracle OpenJDK | =8-update172 | |
| Oracle OpenJDK | =8-update181 | |
| Oracle OpenJDK | =8-update191 | |
| Oracle OpenJDK | =8-update192 | |
| Oracle OpenJDK | =8-update20 | |
| Oracle OpenJDK | =8-update201 | |
| Oracle OpenJDK | =8-update202 | |
| Oracle OpenJDK | =8-update211 | |
| Oracle OpenJDK | =8-update212 | |
| Oracle OpenJDK | =8-update221 | |
| Oracle OpenJDK | =8-update231 | |
| Oracle OpenJDK | =8-update241 | |
| Oracle OpenJDK | =8-update25 | |
| Oracle OpenJDK | =8-update31 | |
| Oracle OpenJDK | =8-update40 | |
| Oracle OpenJDK | =8-update45 | |
| Oracle OpenJDK | =8-update5 | |
| Oracle OpenJDK | =8-update51 | |
| Oracle OpenJDK | =8-update60 | |
| Oracle OpenJDK | =8-update65 | |
| Oracle OpenJDK | =8-update66 | |
| Oracle OpenJDK | =8-update71 | |
| Oracle OpenJDK | =8-update72 | |
| Oracle OpenJDK | =8-update73 | |
| Oracle OpenJDK | =8-update74 | |
| Oracle OpenJDK | =8-update77 | |
| Oracle OpenJDK | =8-update91 | |
| Oracle OpenJDK | =8-update92 | |
| Oracle OpenJDK | =14 | |
| NetApp 7-Mode Transition Tool | ||
| Netapp Active Iq Unified Manager Windows | >=7.3 | |
| Netapp Active Iq Unified Manager Vsphere | >=9.5 | |
| Netapp Cloud Backup | ||
| Netapp E-series Performance Analyzer | ||
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.2 | |
| Netapp E-series Santricity Web Services Web Services Proxy | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| Netapp Plug-in For Symantec Netbackup | ||
| Netapp Santricity Unified Manager | ||
| Netapp Snapmanager Sap | ||
| Netapp Snapmanager Oracle | ||
| Netapp Steelstore Cloud Integrated Storage | ||
| Netapp Storagegrid | >=9.0.0<=9.0.4 | |
| Netapp Storagegrid | ||
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.10 | |
| IBM Engineering Requirements Quality Assistant On-Premises | <=All | |
| debian/openjdk-11 | 11.0.24+8-2~deb11u1 11.0.25~5ea-1 | |
| debian/openjdk-8 | 8u422-b05-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-2803 https://nvd.nist.gov/vuln/detail/CVE-2020-2803
- https://bugzilla.redhat.com/show_bug.cgi?id=1823694
- https://access.redhat.com/errata/RHSA-2020:1506
- https://access.redhat.com/errata/RHSA-2020:1508
- https://access.redhat.com/errata/RHSA-2020:2236
- https://access.redhat.com/errata/RHSA-2020:2239
- https://access.redhat.com/errata/RHSA-2020:1507
- https://access.redhat.com/errata/RHSA-2020:1509
- https://access.redhat.com/errata/RHSA-2020:1512
- https://access.redhat.com/errata/RHSA-2020:2237
- https://access.redhat.com/errata/RHSA-2020:2238
- https://access.redhat.com/errata/RHSA-2020:1514
- https://access.redhat.com/errata/RHSA-2020:1515
- https://access.redhat.com/errata/RHSA-2020:2241
- https://access.redhat.com/errata/RHSA-2020:1516
- https://access.redhat.com/errata/RHSA-2020:1517
- https://access.redhat.com/security/cve/cve-2020-2803
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.debian.org/security/2020/dsa-4662
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- https://usn.ubuntu.com/4337-1/
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- https://security.gentoo.org/glsa/202006-22
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://security.gentoo.org/glsa/202209-15
- https://launchpad.net/bugs/cve/CVE-2020-2803
- https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/4b2346f5b2d5
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/a6dcbf49526c
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/3bdb32006248
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/179701
- https://www.ibm.com/support/pages/node/6398724 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2020-2803
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2803
- https://nvd.nist.gov/vuln/detail/CVE-2020-2803
- https://ubuntu.com/security/CVE-2020-2803
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-2803?
CVE-2020-2803 is a vulnerability in the Java SE and Java SE Embedded product of Oracle Java SE that allows an unauthenticated attacker with network access.
Which versions of Java SE are affected by CVE-2020-2803?
The affected versions of Java SE are 7u251, 8u241, 11.0.6, and 14.
Which versions of Java SE Embedded are affected by CVE-2020-2803?
The affected version of Java SE Embedded is 8u241.
What is the severity of CVE-2020-2803?
The severity of CVE-2020-2803 is high with a severity value of 7.
How can I fix CVE-2020-2803 vulnerability?
To fix the CVE-2020-2803 vulnerability, update to the following versions: Java SE 7u252, 8u252, 11.0.7, and 14.0.1.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-2803
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/event
- collector/ibm-support
- source/IBM
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.7.0-update251
- version/oracle jdk/1.8.0-update241
- version/oracle jdk/11.0.6
- version/oracle jdk/14.0.0
- canonical/oracle jre
- version/oracle jre/1.7.0-update_251
- version/oracle jre/1.8.0-update_241
- version/oracle jre/11.0.6
- version/oracle jre/14.0.0
- canonical/oracle openjdk
- version/oracle openjdk/11
- version/oracle openjdk/11.0.6
- version/oracle openjdk/13
- version/oracle openjdk/13.0.2
- version/oracle openjdk/7
- version/oracle openjdk/7-update1
- version/oracle openjdk/7-update10
- version/oracle openjdk/7-update101
- version/oracle openjdk/7-update11
- version/oracle openjdk/7-update111
- version/oracle openjdk/7-update121
- version/oracle openjdk/7-update13
- version/oracle openjdk/7-update131
- version/oracle openjdk/7-update141
- version/oracle openjdk/7-update15
- version/oracle openjdk/7-update151
- version/oracle openjdk/7-update161
- version/oracle openjdk/7-update17
- version/oracle openjdk/7-update171
- version/oracle openjdk/7-update181
- version/oracle openjdk/7-update191
- version/oracle openjdk/7-update2
- version/oracle openjdk/7-update201
- version/oracle openjdk/7-update21
- version/oracle openjdk/7-update211
- version/oracle openjdk/7-update221
- version/oracle openjdk/7-update231
- version/oracle openjdk/7-update241
- version/oracle openjdk/7-update25
- version/oracle openjdk/7-update251
- version/oracle openjdk/7-update3
- version/oracle openjdk/7-update4
- version/oracle openjdk/7-update40
- version/oracle openjdk/7-update45
- version/oracle openjdk/7-update5
- version/oracle openjdk/7-update51
- version/oracle openjdk/7-update55
- version/oracle openjdk/7-update6
- version/oracle openjdk/7-update60
- version/oracle openjdk/7-update65
- version/oracle openjdk/7-update67
- version/oracle openjdk/7-update7
- version/oracle openjdk/7-update72
- version/oracle openjdk/7-update76
- version/oracle openjdk/7-update80
- version/oracle openjdk/7-update85
- version/oracle openjdk/7-update9
- version/oracle openjdk/7-update91
- version/oracle openjdk/7-update95
- version/oracle openjdk/7-update97
- version/oracle openjdk/7-update99
- version/oracle openjdk/8
- version/oracle openjdk/8-update101
- version/oracle openjdk/8-update102
- version/oracle openjdk/8-update11
- version/oracle openjdk/8-update111
- version/oracle openjdk/8-update112
- version/oracle openjdk/8-update121
- version/oracle openjdk/8-update131
- version/oracle openjdk/8-update141
- version/oracle openjdk/8-update151
- version/oracle openjdk/8-update152
- version/oracle openjdk/8-update161
- version/oracle openjdk/8-update162
- version/oracle openjdk/8-update171
- version/oracle openjdk/8-update172
- version/oracle openjdk/8-update181
- version/oracle openjdk/8-update191
- version/oracle openjdk/8-update192
- version/oracle openjdk/8-update20
- version/oracle openjdk/8-update201
- version/oracle openjdk/8-update202
- version/oracle openjdk/8-update211
- version/oracle openjdk/8-update212
- version/oracle openjdk/8-update221
- version/oracle openjdk/8-update231
- version/oracle openjdk/8-update241
- version/oracle openjdk/8-update25
- version/oracle openjdk/8-update31
- version/oracle openjdk/8-update40
- version/oracle openjdk/8-update45
- version/oracle openjdk/8-update5
- version/oracle openjdk/8-update51
- version/oracle openjdk/8-update60
- version/oracle openjdk/8-update65
- version/oracle openjdk/8-update66
- version/oracle openjdk/8-update71
- version/oracle openjdk/8-update72
- version/oracle openjdk/8-update73
- version/oracle openjdk/8-update74
- version/oracle openjdk/8-update77
- version/oracle openjdk/8-update91
- version/oracle openjdk/8-update92
- version/oracle openjdk/14
- vendor/netapp
- canonical/netapp 7-mode transition tool
- canonical/netapp active iq unified manager windows
- version/netapp active iq unified manager windows/7.3
- canonical/netapp active iq unified manager vsphere
- version/netapp active iq unified manager vsphere/9.5
- canonical/netapp cloud backup
- canonical/netapp e-series performance analyzer
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.70.2
- canonical/netapp e-series santricity web services web services proxy
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- canonical/netapp plug-in for symantec netbackup
- canonical/netapp santricity unified manager
- canonical/netapp snapmanager sap
- canonical/netapp snapmanager oracle
- canonical/netapp steelstore cloud integrated storage
- canonical/netapp storagegrid
- version/netapp storagegrid/9.0.0
- version/netapp storagegrid/9.0.4
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.10
- vendor/ibm
- canonical/ibm engineering requirements quality assistant on-premises
- version/ibm engineering requirements quality assistant on-premises/all
- package-manager/debian