CVE-2020-2803: Buffer Overflow
First published: Tue Apr 14 2020(Updated: )
A flaw was found in the boundary checks in the java.nio buffer classes in the Libraries component of OpenJDK, where it is bypassed in certain cases. This flaw allows an untrusted Java application or applet o bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 |
| redhat/java | <1.7.0-openjdk-1:1.7.0.261-2.6.22.1.el6_10 | 1.7.0-openjdk-1:1.7.0.261-2.6.22.1.el6_10 |
| redhat/java | <1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el6_10 | 1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el6_10 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 |
| redhat/java | <1.7.0-openjdk-1:1.7.0.261-2.6.22.2.el7_8 | 1.7.0-openjdk-1:1.7.0.261-2.6.22.2.el7_8 |
| redhat/java | <11-openjdk-1:11.0.7.10-4.el7_8 | 11-openjdk-1:11.0.7.10-4.el7_8 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 |
| redhat/java | <1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el7 | 1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el7 |
| redhat/java | <11-openjdk-1:11.0.7.10-1.el8_1 | 11-openjdk-1:11.0.7.10-1.el8_1 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 |
| redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1.el8_2 | 1.8.0-ibm-1:1.8.0.6.10-1.el8_2 |
| redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 |
| redhat/java | <11-openjdk-1:11.0.7.10-1.el8_0 | 11-openjdk-1:11.0.7.10-1.el8_0 |
| IBM Engineering Requirements Quality Assistant On-Premises | <=All | |
| debian/openjdk-11 | 11.0.24+8-2~deb11u1 11.0.25~5ea-1 | |
| debian/openjdk-8 | 8u422-b05-1 | |
| Oracle JDK 6 | =1.7.0-update251 | |
| Oracle JDK 6 | =1.8.0-update241 | |
| Oracle JDK 6 | =11.0.6 | |
| Oracle JDK 6 | =14.0.0 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update_251 | |
| Oracle Java Runtime Environment (JRE) | =1.8.0-update_241 | |
| Oracle Java Runtime Environment (JRE) | =11.0.6 | |
| Oracle Java Runtime Environment (JRE) | =14.0.0 | |
| OpenJDK 17 | >=11<=11.0.6 | |
| OpenJDK 17 | >=13<=13.0.2 | |
| OpenJDK 17 | =7 | |
| OpenJDK 17 | =7-update1 | |
| OpenJDK 17 | =7-update10 | |
| OpenJDK 17 | =7-update101 | |
| OpenJDK 17 | =7-update11 | |
| OpenJDK 17 | =7-update111 | |
| OpenJDK 17 | =7-update121 | |
| OpenJDK 17 | =7-update13 | |
| OpenJDK 17 | =7-update131 | |
| OpenJDK 17 | =7-update141 | |
| OpenJDK 17 | =7-update15 | |
| OpenJDK 17 | =7-update151 | |
| OpenJDK 17 | =7-update161 | |
| OpenJDK 17 | =7-update17 | |
| OpenJDK 17 | =7-update171 | |
| OpenJDK 17 | =7-update181 | |
| OpenJDK 17 | =7-update191 | |
| OpenJDK 17 | =7-update2 | |
| OpenJDK 17 | =7-update201 | |
| OpenJDK 17 | =7-update21 | |
| OpenJDK 17 | =7-update211 | |
| OpenJDK 17 | =7-update221 | |
| OpenJDK 17 | =7-update231 | |
| OpenJDK 17 | =7-update241 | |
| OpenJDK 17 | =7-update25 | |
| OpenJDK 17 | =7-update251 | |
| OpenJDK 17 | =7-update3 | |
| OpenJDK 17 | =7-update4 | |
| OpenJDK 17 | =7-update40 | |
| OpenJDK 17 | =7-update45 | |
| OpenJDK 17 | =7-update5 | |
| OpenJDK 17 | =7-update51 | |
| OpenJDK 17 | =7-update55 | |
| OpenJDK 17 | =7-update6 | |
| OpenJDK 17 | =7-update60 | |
| OpenJDK 17 | =7-update65 | |
| OpenJDK 17 | =7-update67 | |
| OpenJDK 17 | =7-update7 | |
| OpenJDK 17 | =7-update72 | |
| OpenJDK 17 | =7-update76 | |
| OpenJDK 17 | =7-update80 | |
| OpenJDK 17 | =7-update85 | |
| OpenJDK 17 | =7-update9 | |
| OpenJDK 17 | =7-update91 | |
| OpenJDK 17 | =7-update95 | |
| OpenJDK 17 | =7-update97 | |
| OpenJDK 17 | =7-update99 | |
| OpenJDK 17 | =8 | |
| OpenJDK 17 | =8-update101 | |
| OpenJDK 17 | =8-update102 | |
| OpenJDK 17 | =8-update11 | |
| OpenJDK 17 | =8-update111 | |
| OpenJDK 17 | =8-update112 | |
| OpenJDK 17 | =8-update121 | |
| OpenJDK 17 | =8-update131 | |
| OpenJDK 17 | =8-update141 | |
| OpenJDK 17 | =8-update151 | |
| OpenJDK 17 | =8-update152 | |
| OpenJDK 17 | =8-update161 | |
| OpenJDK 17 | =8-update162 | |
| OpenJDK 17 | =8-update171 | |
| OpenJDK 17 | =8-update172 | |
| OpenJDK 17 | =8-update181 | |
| OpenJDK 17 | =8-update191 | |
| OpenJDK 17 | =8-update192 | |
| OpenJDK 17 | =8-update20 | |
| OpenJDK 17 | =8-update201 | |
| OpenJDK 17 | =8-update202 | |
| OpenJDK 17 | =8-update211 | |
| OpenJDK 17 | =8-update212 | |
| OpenJDK 17 | =8-update221 | |
| OpenJDK 17 | =8-update231 | |
| OpenJDK 17 | =8-update241 | |
| OpenJDK 17 | =8-update25 | |
| OpenJDK 17 | =8-update31 | |
| OpenJDK 17 | =8-update40 | |
| OpenJDK 17 | =8-update45 | |
| OpenJDK 17 | =8-update5 | |
| OpenJDK 17 | =8-update51 | |
| OpenJDK 17 | =8-update60 | |
| OpenJDK 17 | =8-update65 | |
| OpenJDK 17 | =8-update66 | |
| OpenJDK 17 | =8-update71 | |
| OpenJDK 17 | =8-update72 | |
| OpenJDK 17 | =8-update73 | |
| OpenJDK 17 | =8-update74 | |
| OpenJDK 17 | =8-update77 | |
| OpenJDK 17 | =8-update91 | |
| OpenJDK 17 | =8-update92 | |
| OpenJDK 17 | =14 | |
| NetApp 7-Mode Transition Tool | ||
| netapp active iq unified manager windows | >=7.3 | |
| netapp active iq unified manager vsphere | >=9.5 | |
| netapp cloud backup | ||
| netapp e-series performance analyzer | ||
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.2 | |
| netapp e-series santricity Web services Web services proxy | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| netapp plug-in for symantec netbackup | ||
| netapp santricity unified manager | ||
| netapp snapmanager sap | ||
| netapp snapmanager Oracle | ||
| NetApp SteelStore | ||
| netapp storagegrid | >=9.0.0<=9.0.4 | |
| netapp storagegrid | ||
| Debian GNU/Linux | =8.0 | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =10.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| openSUSE | =15.1 | |
| openSUSE | =15.2 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =19.10 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Fedora | =30 | |
| Fedora | =31 | |
| Fedora | =32 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-2803 https://nvd.nist.gov/vuln/detail/CVE-2020-2803
- https://bugzilla.redhat.com/show_bug.cgi?id=1823694
- https://access.redhat.com/errata/RHSA-2020:1506
- https://access.redhat.com/errata/RHSA-2020:1508
- https://access.redhat.com/errata/RHSA-2020:2236
- https://access.redhat.com/errata/RHSA-2020:2239
- https://access.redhat.com/errata/RHSA-2020:1507
- https://access.redhat.com/errata/RHSA-2020:1509
- https://access.redhat.com/errata/RHSA-2020:1512
- https://access.redhat.com/errata/RHSA-2020:2237
- https://access.redhat.com/errata/RHSA-2020:2238
- https://access.redhat.com/errata/RHSA-2020:1514
- https://access.redhat.com/errata/RHSA-2020:1515
- https://access.redhat.com/errata/RHSA-2020:2241
- https://access.redhat.com/errata/RHSA-2020:1516
- https://access.redhat.com/errata/RHSA-2020:1517
- https://access.redhat.com/security/cve/cve-2020-2803
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.debian.org/security/2020/dsa-4662
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- https://usn.ubuntu.com/4337-1/
- https://www.debian.org/security/2020/dsa-4668
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- https://security.gentoo.org/glsa/202006-22
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://security.gentoo.org/glsa/202209-15
- https://launchpad.net/bugs/cve/CVE-2020-2803
- https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/4b2346f5b2d5
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/a6dcbf49526c
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/3bdb32006248
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/179701
- https://www.ibm.com/support/pages/node/6398724 (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2020-2803
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2803
- https://nvd.nist.gov/vuln/detail/CVE-2020-2803
- https://ubuntu.com/security/CVE-2020-2803
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-2803?
CVE-2020-2803 is a vulnerability in the Java SE and Java SE Embedded product of Oracle Java SE that allows an unauthenticated attacker with network access.
Which versions of Java SE are affected by CVE-2020-2803?
The affected versions of Java SE are 7u251, 8u241, 11.0.6, and 14.
Which versions of Java SE Embedded are affected by CVE-2020-2803?
The affected version of Java SE Embedded is 8u241.
What is the severity of CVE-2020-2803?
The severity of CVE-2020-2803 is high with a severity value of 7.
How can I fix CVE-2020-2803 vulnerability?
To fix the CVE-2020-2803 vulnerability, update to the following versions: Java SE 7u252, 8u252, 11.0.7, and 14.0.1.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-2803
- agent/weakness
- agent/severity
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/redhat
- vendor/ibm
- canonical/ibm engineering requirements quality assistant on-premises
- version/ibm engineering requirements quality assistant on-premises/all
- package-manager/debian
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.7.0-update251
- version/oracle jdk 6/1.8.0-update241
- version/oracle jdk 6/11.0.6
- version/oracle jdk 6/14.0.0
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.7.0-update_251
- version/oracle java runtime environment (jre)/1.8.0-update_241
- version/oracle java runtime environment (jre)/11.0.6
- version/oracle java runtime environment (jre)/14.0.0
- canonical/openjdk 17
- version/openjdk 17/11
- version/openjdk 17/11.0.6
- version/openjdk 17/13
- version/openjdk 17/13.0.2
- version/openjdk 17/7
- version/openjdk 17/7-update1
- version/openjdk 17/7-update10
- version/openjdk 17/7-update101
- version/openjdk 17/7-update11
- version/openjdk 17/7-update111
- version/openjdk 17/7-update121
- version/openjdk 17/7-update13
- version/openjdk 17/7-update131
- version/openjdk 17/7-update141
- version/openjdk 17/7-update15
- version/openjdk 17/7-update151
- version/openjdk 17/7-update161
- version/openjdk 17/7-update17
- version/openjdk 17/7-update171
- version/openjdk 17/7-update181
- version/openjdk 17/7-update191
- version/openjdk 17/7-update2
- version/openjdk 17/7-update201
- version/openjdk 17/7-update21
- version/openjdk 17/7-update211
- version/openjdk 17/7-update221
- version/openjdk 17/7-update231
- version/openjdk 17/7-update241
- version/openjdk 17/7-update25
- version/openjdk 17/7-update251
- version/openjdk 17/7-update3
- version/openjdk 17/7-update4
- version/openjdk 17/7-update40
- version/openjdk 17/7-update45
- version/openjdk 17/7-update5
- version/openjdk 17/7-update51
- version/openjdk 17/7-update55
- version/openjdk 17/7-update6
- version/openjdk 17/7-update60
- version/openjdk 17/7-update65
- version/openjdk 17/7-update67
- version/openjdk 17/7-update7
- version/openjdk 17/7-update72
- version/openjdk 17/7-update76
- version/openjdk 17/7-update80
- version/openjdk 17/7-update85
- version/openjdk 17/7-update9
- version/openjdk 17/7-update91
- version/openjdk 17/7-update95
- version/openjdk 17/7-update97
- version/openjdk 17/7-update99
- version/openjdk 17/8
- version/openjdk 17/8-update101
- version/openjdk 17/8-update102
- version/openjdk 17/8-update11
- version/openjdk 17/8-update111
- version/openjdk 17/8-update112
- version/openjdk 17/8-update121
- version/openjdk 17/8-update131
- version/openjdk 17/8-update141
- version/openjdk 17/8-update151
- version/openjdk 17/8-update152
- version/openjdk 17/8-update161
- version/openjdk 17/8-update162
- version/openjdk 17/8-update171
- version/openjdk 17/8-update172
- version/openjdk 17/8-update181
- version/openjdk 17/8-update191
- version/openjdk 17/8-update192
- version/openjdk 17/8-update20
- version/openjdk 17/8-update201
- version/openjdk 17/8-update202
- version/openjdk 17/8-update211
- version/openjdk 17/8-update212
- version/openjdk 17/8-update221
- version/openjdk 17/8-update231
- version/openjdk 17/8-update241
- version/openjdk 17/8-update25
- version/openjdk 17/8-update31
- version/openjdk 17/8-update40
- version/openjdk 17/8-update45
- version/openjdk 17/8-update5
- version/openjdk 17/8-update51
- version/openjdk 17/8-update60
- version/openjdk 17/8-update65
- version/openjdk 17/8-update66
- version/openjdk 17/8-update71
- version/openjdk 17/8-update72
- version/openjdk 17/8-update73
- version/openjdk 17/8-update74
- version/openjdk 17/8-update77
- version/openjdk 17/8-update91
- version/openjdk 17/8-update92
- version/openjdk 17/14
- vendor/netapp
- canonical/netapp 7-mode transition tool
- canonical/netapp active iq unified manager windows
- version/netapp active iq unified manager windows/7.3
- canonical/netapp active iq unified manager vsphere
- version/netapp active iq unified manager vsphere/9.5
- canonical/netapp cloud backup
- canonical/netapp e-series performance analyzer
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.70.2
- canonical/netapp e-series santricity web services web services proxy
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- canonical/netapp plug-in for symantec netbackup
- canonical/netapp santricity unified manager
- canonical/netapp snapmanager sap
- canonical/netapp snapmanager oracle
- canonical/netapp steelstore
- canonical/netapp storagegrid
- version/netapp storagegrid/9.0.0
- version/netapp storagegrid/9.0.4
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- version/debian gnu/linux/9.0
- version/debian gnu/linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- version/opensuse/15.2
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/19.10
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- canonical/fedora
- version/fedora/30
- version/fedora/31
- version/fedora/32
- canonical/ubuntu
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.10