First published: Tue Apr 14 2020(Updated: )
A flaw was found in the way the readObject() method of the MethodType class in the Libraries component of OpenJDK checked argument types. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el6_10 |
redhat/java | <1.7.0-openjdk-1:1.7.0.261-2.6.22.1.el6_10 | 1.7.0-openjdk-1:1.7.0.261-2.6.22.1.el6_10 |
redhat/java | <1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el6_10 | 1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el6_10 |
redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el6_10 |
redhat/java | <1.7.0-openjdk-1:1.7.0.261-2.6.22.2.el7_8 | 1.7.0-openjdk-1:1.7.0.261-2.6.22.2.el7_8 |
redhat/java | <11-openjdk-1:11.0.7.10-4.el7_8 | 11-openjdk-1:11.0.7.10-4.el7_8 |
redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el7_8 |
redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 | 1.8.0-ibm-1:1.8.0.6.10-1jpp.1.el7 |
redhat/java | <1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el7 | 1.7.1-ibm-1:1.7.1.4.65-1jpp.1.el7 |
redhat/java | <11-openjdk-1:11.0.7.10-1.el8_1 | 11-openjdk-1:11.0.7.10-1.el8_1 |
redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_1 |
redhat/java | <1.8.0-ibm-1:1.8.0.6.10-1.el8_2 | 1.8.0-ibm-1:1.8.0.6.10-1.el8_2 |
redhat/java | <1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 | 1.8.0-openjdk-1:1.8.0.252.b09-2.el8_0 |
redhat/java | <11-openjdk-1:11.0.7.10-1.el8_0 | 11-openjdk-1:11.0.7.10-1.el8_0 |
debian/openjdk-11 | 11.0.24+8-2~deb11u1 11.0.25~5ea-1 | |
debian/openjdk-8 | 8u422-b05-1 | |
IBM Engineering Requirements Quality Assistant | <=All | |
Oracle OpenJDK 1.8.0 | =1.7.0-update251 | |
Oracle OpenJDK 1.8.0 | =1.8.0-update241 | |
Oracle OpenJDK 1.8.0 | =11.0.6 | |
Oracle OpenJDK 1.8.0 | =14.0.0 | |
Oracle JRE | =1.7.0-update_251 | |
Oracle JRE | =1.8.0-update_241 | |
Oracle JRE | =11.0.6 | |
Oracle JRE | =14.0.0 | |
OpenJDK 8 | >=11<=11.0.6 | |
OpenJDK 8 | >=13<=13.0.2 | |
OpenJDK 8 | =7 | |
OpenJDK 8 | =7-update1 | |
OpenJDK 8 | =7-update10 | |
OpenJDK 8 | =7-update101 | |
OpenJDK 8 | =7-update11 | |
OpenJDK 8 | =7-update111 | |
OpenJDK 8 | =7-update121 | |
OpenJDK 8 | =7-update13 | |
OpenJDK 8 | =7-update131 | |
OpenJDK 8 | =7-update141 | |
OpenJDK 8 | =7-update15 | |
OpenJDK 8 | =7-update151 | |
OpenJDK 8 | =7-update161 | |
OpenJDK 8 | =7-update17 | |
OpenJDK 8 | =7-update171 | |
OpenJDK 8 | =7-update181 | |
OpenJDK 8 | =7-update191 | |
OpenJDK 8 | =7-update2 | |
OpenJDK 8 | =7-update201 | |
OpenJDK 8 | =7-update21 | |
OpenJDK 8 | =7-update211 | |
OpenJDK 8 | =7-update221 | |
OpenJDK 8 | =7-update231 | |
OpenJDK 8 | =7-update241 | |
OpenJDK 8 | =7-update25 | |
OpenJDK 8 | =7-update251 | |
OpenJDK 8 | =7-update3 | |
OpenJDK 8 | =7-update4 | |
OpenJDK 8 | =7-update40 | |
OpenJDK 8 | =7-update45 | |
OpenJDK 8 | =7-update5 | |
OpenJDK 8 | =7-update51 | |
OpenJDK 8 | =7-update55 | |
OpenJDK 8 | =7-update6 | |
OpenJDK 8 | =7-update60 | |
OpenJDK 8 | =7-update65 | |
OpenJDK 8 | =7-update67 | |
OpenJDK 8 | =7-update7 | |
OpenJDK 8 | =7-update72 | |
OpenJDK 8 | =7-update76 | |
OpenJDK 8 | =7-update80 | |
OpenJDK 8 | =7-update85 | |
OpenJDK 8 | =7-update9 | |
OpenJDK 8 | =7-update91 | |
OpenJDK 8 | =7-update95 | |
OpenJDK 8 | =7-update97 | |
OpenJDK 8 | =7-update99 | |
OpenJDK 8 | =8 | |
OpenJDK 8 | =8-update101 | |
OpenJDK 8 | =8-update102 | |
OpenJDK 8 | =8-update11 | |
OpenJDK 8 | =8-update111 | |
OpenJDK 8 | =8-update112 | |
OpenJDK 8 | =8-update121 | |
OpenJDK 8 | =8-update131 | |
OpenJDK 8 | =8-update141 | |
OpenJDK 8 | =8-update151 | |
OpenJDK 8 | =8-update152 | |
OpenJDK 8 | =8-update161 | |
OpenJDK 8 | =8-update162 | |
OpenJDK 8 | =8-update171 | |
OpenJDK 8 | =8-update172 | |
OpenJDK 8 | =8-update181 | |
OpenJDK 8 | =8-update191 | |
OpenJDK 8 | =8-update192 | |
OpenJDK 8 | =8-update20 | |
OpenJDK 8 | =8-update201 | |
OpenJDK 8 | =8-update202 | |
OpenJDK 8 | =8-update211 | |
OpenJDK 8 | =8-update212 | |
OpenJDK 8 | =8-update221 | |
OpenJDK 8 | =8-update231 | |
OpenJDK 8 | =8-update241 | |
OpenJDK 8 | =8-update25 | |
OpenJDK 8 | =8-update31 | |
OpenJDK 8 | =8-update40 | |
OpenJDK 8 | =8-update45 | |
OpenJDK 8 | =8-update5 | |
OpenJDK 8 | =8-update51 | |
OpenJDK 8 | =8-update60 | |
OpenJDK 8 | =8-update65 | |
OpenJDK 8 | =8-update66 | |
OpenJDK 8 | =8-update71 | |
OpenJDK 8 | =8-update72 | |
OpenJDK 8 | =8-update73 | |
OpenJDK 8 | =8-update74 | |
OpenJDK 8 | =8-update77 | |
OpenJDK 8 | =8-update91 | |
OpenJDK 8 | =8-update92 | |
OpenJDK 8 | =14 | |
NetApp 7-Mode Transition Tool | ||
NetApp Active IQ Unified Manager | >=7.3 | |
NetApp Active IQ Unified Manager | >=9.5 | |
NetApp Cloud Backup | ||
NetApp E-Series Performance Analyzer | ||
NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.2 | |
NetApp E-Series SANtricity Web Services | ||
NetApp OnCommand Insight | ||
NetApp OnCommand Workflow Automation | ||
NetApp Plug-in for Symantec NetBackup | ||
NetApp E-Series SANtricity Unified Manager | ||
NetApp SnapManager for SAP | ||
NetApp SnapManager for Oracle | ||
NetApp SteelStore Cloud Integrated Storage | ||
NetApp StorageGrid | >=9.0.0<=9.0.4 | |
NetApp StorageGrid | ||
Debian | =8.0 | |
Debian | =9.0 | |
Debian | =10.0 | |
Fedora | =30 | |
Fedora | =31 | |
Fedora | =32 | |
SUSE Linux | =15.1 | |
SUSE Linux | =15.2 | |
Ubuntu | =16.04 | |
Ubuntu | =18.04 | |
Ubuntu | =19.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The severity of CVE-2020-2805 is classified as critical due to the potential for bypassing Java sandbox restrictions.
To fix CVE-2020-2805, update to the recommended versions of affected Java packages provided by your vendor.
CVE-2020-2805 affects various Java versions, including OpenJDK and IBM JDK across multiple operating systems.
Yes, CVE-2020-2805 can allow untrusted Java applications or applets to bypass security restrictions.
Versions including OpenJDK 1.7, 1.8, and 11 as well as some specific IBM JDK versions are vulnerable in CVE-2020-2805.