Common Vulnerabilities and Exposures Fixes

This section summarizes JDK Common Vulnerabilities and Exposure (CVE) fixes reflecting July 2020 OpenJDK changes implemented for the following Zing levels:

Zing 13
Zing 11
Zing 8
Zing 7

**July 2020 CVE Fixes**
CVSS VERSION 3.0 RISK
CVE #	Component	Protocol	Remote Exploit without Auth.	Base Score	Attack Vector	Attack Complex	Privs Req'd	User Interact	Scope	Confidentiality	Integrity	Availability	Supported Zing Versions Affected	Note
CVE-2020-14583	Libraries	Multiple	Yes	8.3	Network	H	N	R	C	H	H	H	13, 11, 8, 7	Note 1
CVE-2020-14593	2D	Multiple	Yes	7.4	Network	L	N	R	C	N	H	N	13, 11, 8, 7	Note 1
CVE-2020-14562	ImageIO	Multiple	Yes	5.3	Network	L	N	N	U	N	N	L	13, 11	Note 1
CVE-2020-14621	JAXP	Multiple	Yes	5.3	Network	L	N	N	U	N	L	N	13, 11, 8, 7	Note 2
CVE-2020-14556	Libraries	Multiple	Yes	4.8	Network	H	N	N	U	L	L	N	13, 11, 8	Note 3
CVE-2020-14573	Hotspot	Multiple	Yes	3.7	Network	H	N	N	U	N	L	N	13, 11	Note 3
CVE-2020-14581	2D	Multiple	Yes	3.7	Network	H	N	N	U	L	N	N	13, 11	Note 3
CVE-2020-14578	Libraries	Multiple	Yes	3.7	Network	H	N	N	U	N	N	L	8, 7	Note 3
CVE-2020-14579	Libraries	Multiple	Yes	3.7	Network	H	N	N	U	N	N	L	8, 7	Note 3
CVE-2020-14577	JSSE	TLS	Yes	3.7	Network	H	N	N	U	L	N	N	13, 11, 8 , 7	Note 3

Base and Impact Metric:

Metrics	Values
Attack Vector	Network (N), Adjacent (A), Local (L), and Physical (P)
Attack Complexity	Low (L) and High (H)
Privileges Required	None (N), Low (L), and High (H)
User Interaction	None (N) and Required (R)
Scope	Unchanged (U) and Changed (C)
Confidentiality Impact	High (H), Low (L), and None (N)
Integrity Impact	High (H), Low (L), and None (N)
Availability Impact	High (H), Low (L), and None (N)

Notes:

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
This vulnerability can only be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.
This vulnerability applies to client and server deployment of Java. This vulnerability can be exploited through untrusted code executed under Java sandbox restrictions. It can also be exploited by supplying data to APIs in the specified Component without using untrusted code executed under Java sandbox restrictions, such as through a web service.

In-Depth Non-CVE Security Fixes

The following table lists in-depth non-CVE security fixes implemented specifically for Zing.

**July 2020 Non-CVE Security Fixes**
Patch ID in OpenJDK Bug DB	JDK Levels Applicable in Zing	Synopsis	Java Update Type
JDK-8230613	13, 11, 8, 7	Better ASCII conversions	CPU
JDK-8231800	13, 11, 8, 7	Better listing of arrays	CPU
JDK-8232014	13, 11, 8, 7	Expand DTD support	CPU
JDK-8233234	13, 11	Better Zip naming	CPU
JDK-8233255	13, 11, 8, 7	Better Swing Buttons	CPU
JDK-8234032	13, 11, 8, 7	Improve basic calendar services	CPU
JDK-8234042	13, 11, 8, 7	Better factory production of certificates	CPU
JDK-8234418	13, 11, 8, 7	Better parsing with CertificateFactory	CPU
JDK-8234836	13, 11, 8, 7	Improve serialization handling	CPU
JDK-8236191	13, 11, 8, 7	Enhance OID processing	CPU
JDK-8238013	13, 11	Enhance String writing	CPU
JDK-8238804	13, 11, 8, 7	Enhance key handling process	CPU
JDK-8238843	13, 11, 8, 7	Enhanced font handing	CPU
JDK-8238925	13, 11, 8, 7	Enhance WAV file playback	CPU
JDK-8239966	13, 11, 8	Enhance XML handling	CPU
JDK-8240482	13, 11, 8, 7	Improved WAV file playback	CPU
JDK-8241108	13, 11, 8	Glib improvements	CPU
JDK-8241379	13, 11, 8, 7	Update JCEKS support	CPU
JDK-8241522	13, 11, 8	Manifest improved jar headers redux	CPU

See Also

Last modified: July 31, 2020