Security Alert (A20-07-06): Multiple Vulnerabilities in Oracle Java and Oracle Products (July 2020)
15 July 2020
Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.
There are 11 vulnerabilities identified in Java, OpenJDK and OpenJFX affecting multiple sub-components including 2D, Hotspot, ImageIO, JAXP, JSSE, JavaFX and Libraries.
For vulnerabilities identified in other Oracle products, they can be exploited by physical access or remotely through various protocols including Apache JServ Protocol (AJP) , HTTP, HTTPS, IIOP, MySQL Protocol, SMTPS, OracleNet, TLS or T3.
There are multiple attack vectors. For Java and OpenJDK, an attacker could entice a user to open a specially crafted web page containing un-trusted applet or Web Start application with malicious content or to submit specially crafted data to APIs in the specified Component through a web service. For other Oracle products, a local authenticated attacker could log on the infrastructure of the affected systems to exploit the vulnerabilities. A remote attacker could send specially crafted network packets to the affected systems to exploit the vulnerabilities.
Oracle Java SE
Oracle Linux and Virtualization
Oracle MySQL Product Suite
Oracle and Sun Systems Products Suite
Fusion Applications and Middleware
A complete list of the affected products can be found at: https://www.oracle.com/security-alerts/cpujul2020.html
Depending on the vulnerability exploited, a successful attack could lead to denial of services, data tampering, information disclosure or compromise of a vulnerable system.
Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
For Oracle Java SE products, please refer to the following link:
Java Platform SE 8u261 (JDK and JRE)
Java Platform SE 11.0.8 (JDK and JRE)
Java Platform SE 14.0.2 (JDK and JRE) http://www.oracle.com/technetwork/java/javase/downloads/index.html
For OpenJDK 14.0.2, please refer to the following link: https://jdk.java.net/14/
Users could also access the security advisory below for the information about the security updates of other Oracle products: https://www.oracle.com/security-alerts/cpujul2020.html
Users may contact their product support vendors for the fixes and assistance.