Back to Zing Documentation Home

Common Vulnerabilities and Exposures Fixes

This section summarizes JDK Common Vulnerabilities and Exposure (CVE) fixes reflecting July 2020 OpenJDK changes implemented for the following Zing levels:

  • Zing 13

  • Zing 11

  • Zing 8

  • Zing 7

July 2020 CVE Fixes

CVSS VERSION 3.0 RISK

CVE #

Component

Protocol

Remote Exploit without Auth.

Base Score

Attack Vector

Attack Complex

Privs Req'd

User Interact

Scope

Confidentiality

Integrity

Availability

Supported Zing Versions Affected

Note

CVE-2020-14583 Libraries Multiple Yes 8.3 Network H N R C H H H 13, 11, 8, 7 Note 1
CVE-2020-14593 2D Multiple Yes 7.4 Network L N R C N H N 13, 11, 8, 7 Note 1
CVE-2020-14562 ImageIO Multiple Yes 5.3 Network L N N U N N L 13, 11 Note 1
CVE-2020-14621 JAXP Multiple Yes 5.3 Network L N N U N L N 13, 11, 8, 7 Note 2
CVE-2020-14556 Libraries Multiple Yes 4.8 Network H N N U L L N 13, 11, 8 Note 3
CVE-2020-14573 Hotspot Multiple Yes 3.7 Network H N N U N L N 13, 11 Note 3
CVE-2020-14581 2D Multiple Yes 3.7 Network H N N U L N N 13, 11 Note 3
CVE-2020-14578 Libraries Multiple Yes 3.7 Network H N N U N N L 8, 7 Note 3
CVE-2020-14579 Libraries Multiple Yes 3.7 Network H N N U N N L 8, 7 Note 3
CVE-2020-14577 JSSE TLS Yes 3.7 Network H N N U L N N 13, 11, 8 , 7 Note 3

Base and Impact Metric:

Metrics

Values

Attack Vector Network (N), Adjacent (A), Local (L), and Physical (P)
Attack Complexity Low (L) and High (H)
Privileges Required None (N), Low (L), and High (H)
User Interaction None (N) and Required (R)
Scope Unchanged (U) and Changed (C)
Confidentiality Impact High (H), Low (L), and None (N)
Integrity Impact High (H), Low (L), and None (N)
Availability Impact High (H), Low (L), and None (N)

Notes:

  1. This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

  2. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.

  3. This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through untrusted code executed under Java sandbox restrictions. It can also be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.

In-Depth Non-CVE Security Fixes

The following table lists in-depth non-CVE security fixes implemented specifically for Zing.

July 2020 Non-CVE Security Fixes
Patch ID in OpenJDK Bug DB JDK Levels
Applicable in
Zing
Synopsis Java Update Type
JDK-8230613 13, 11, 8, 7 Better ASCII conversions CPU
JDK-8231800 13, 11, 8, 7 Better listing of arrays CPU
JDK-8232014 13, 11, 8, 7 Expand DTD support CPU
JDK-8233234 13, 11 Better Zip naming CPU
JDK-8233255 13, 11, 8, 7 Better Swing Buttons CPU
JDK-8234032 13, 11, 8, 7 Improve basic calendar services CPU
JDK-8234042 13, 11, 8, 7 Better factory production of certificates CPU
JDK-8234418 13, 11, 8, 7 Better parsing with CertificateFactory CPU
JDK-8234836 13, 11, 8, 7 Improve serialization handling CPU
JDK-8236191 13, 11, 8, 7 Enhance OID processing CPU
JDK-8238013 13, 11 Enhance String writing CPU
JDK-8238804 13, 11, 8, 7 Enhance key handling process CPU
JDK-8238843 13, 11, 8, 7 Enhanced font handing CPU
JDK-8238925 13, 11, 8, 7 Enhance WAV file playback CPU
JDK-8239966 13, 11, 8 Enhance XML handling CPU
JDK-8240482 13, 11, 8, 7 Improved WAV file playback CPU
JDK-8241108 13, 11, 8 Glib improvements CPU
JDK-8241379 13, 11, 8, 7 Update JCEKS support CPU
JDK-8241522 13, 11, 8 Manifest improved jar headers redux CPU

 

See Also

 

 

Last modified: July 31, 2020


© Azul Systems, Inc. 2020 All rights reserved.

Privacy Policy | Legal | Terms of Use