Published on: 15 July 2020
Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.
There are 11 vulnerabilities identified in Java, OpenJDK and OpenJFX affecting multiple sub-components including 2D, Hotspot, ImageIO, JAXP, JSSE, JavaFX and Libraries.
For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including Apache JServ Protocol (AJP) , HTTP, HTTPS, IIOP, MySQL Protocol, SMTPS, OracleNet, TLS or T3.
There are multiple attack vectors. For Java and OpenJDK, an attacker could entice a user to open a specially crafted web page containing un-trusted applet or Web Start application with malicious content or to submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a local authenticated attacker could log on the infrastructure of the affected systems to exploit the vulnerabilities. A remote attacker could send specially crafted network packets to the affected systems to exploit the vulnerabilities.
A complete list of the affected products can be found at:
https://www.oracle.com/security-alerts/cpujul2020.html
Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.
Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
For Oracle Java SE products, please refer to the following link:
For OpenJDK 14.0.2, please refer to the following link:
https://jdk.java.net/14/
Users could also access the security advisory below for the information about the security updates of other Oracle products:
https://www.oracle.com/security-alerts/cpujul2020.html
Users may contact their product support vendors for the fixes and assistance.
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/java/technologies/javase/8u261-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-8-relnotes.html
https://www.oracle.com/java/technologies/javase/14-0-2-relnotes.html
https://openjdk.java.net/groups/vulnerability/advisories/2020-07-14
https://www.hkcert.org/my_url/en/alert/20071505
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9251
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5019
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0861
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12626
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10237
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11058
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15756
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18314
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0188
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0227
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1551
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10193
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12415
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12423
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13990
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17569
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1941
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1951
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1967
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2562
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2966 (to CVE-2020-2969)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2971 (to CVE-2020-2978)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2981 (to CVE-2020-2984)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5398
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7060
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7595
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8112
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9488
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10683
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11656
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14527 (to CVE-2020-14537)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14539 (to CVE-2020-14671)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14673 (to CVE-2020-14682)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14684 (to CVE-2020-14688)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14690 (to CVE-2020-14724)