CVE-2020-14593
📋 TL;DR
This vulnerability in Oracle Java SE's 2D component allows unauthenticated attackers to modify critical data in Java deployments that run untrusted code. It affects Java SE versions 7u261, 8u251, 11.0.7, 14.0.1 and Java SE Embedded 8u251. The vulnerability primarily impacts client-side Java deployments running sandboxed Java Web Start applications or applets that load untrusted internet code.
💻 Affected Systems
- Oracle Java SE
- Oracle Java SE Embedded
📦 What is this software?
E Series Santricity Os Controller by Netapp
E Series Santricity Web Services by Netapp
Fedora by Fedoraproject
Fedora by Fedoraproject
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Leap by Opensuse
Leap by Opensuse
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Steelstore Cloud Integrated Storage by Netapp
View all CVEs affecting Steelstore Cloud Integrated Storage →
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify or delete critical data accessible to Java SE, potentially leading to data corruption, system compromise, or unauthorized data manipulation in affected applications.
Likely Case
Attackers exploiting malicious Java applets or Web Start applications could modify application data or settings, potentially leading to further exploitation chains.
If Mitigated
With proper patching and security controls, the risk is eliminated. For server deployments running only trusted code, the vulnerability does not apply.
🎯 Exploit Status
CVSS indicates easily exploitable with network access via multiple protocols, requiring user interaction (UI:R).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Java SE: 7u271, 8u261, 11.0.8, 14.0.2; Java SE Embedded: 8u261
Vendor Advisory: https://www.oracle.com/security-alerts/cpujul2020.html
Restart Required: Yes
Instructions:
1. Download latest Java version from Oracle website. 2. Uninstall old Java version. 3. Install new Java version. 4. Restart affected systems and applications.
🔧 Temporary Workarounds
Disable Java in browsers
allPrevent Java applets from running in web browsers
Browser-specific: Disable Java plugin/add-on
Restrict Java Web Start
allDisable or restrict Java Web Start applications
Windows: Control Panel > Java > Security > Uncheck 'Enable Java content in browser'
Linux: Update deployment.properties to restrict Web Start
🧯 If You Can't Patch
- Disable Java in all web browsers and restrict Java Web Start usage
- Implement network segmentation to isolate Java clients and monitor for suspicious Java network activity
🔍 How to Verify
Check if Vulnerable:
Run 'java -version' and check if version matches affected versions: 1.7.0_261, 1.8.0_251, 11.0.7, 14.0.1, or Java SE Embedded 8u251Check Version:
java -versionVerify Fix Applied:
Run 'java -version' and verify version is patched: 1.7.0_271+, 1.8.0_261+, 11.0.8+, 14.0.2+, or Java SE Embedded 8u261+📡 Detection & Monitoring
Log Indicators:
- Java crash logs with 2D component errors
- Security manager violation logs related to graphics operations
Network Indicators:
- Unexpected Java network connections from client systems
- Java Web Start/JNLP file downloads from untrusted sources
SIEM Query:
source="java.log" AND ("2D" OR "Graphics2D") AND (error OR exception OR violation)🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
- https://security.gentoo.org/glsa/202008-24
- https://security.gentoo.org/glsa/202209-15
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://usn.ubuntu.com/4433-1/
- https://usn.ubuntu.com/4453-1/
- https://www.debian.org/security/2020/dsa-4734
- https://www.oracle.com/security-alerts/cpujul2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00041.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00021.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6CFJPOYF3CWYEPCDOAOCNFJTQIKKWPHW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DFZ36XIW5ENQAW6BB7WHRFFTTJX7KGMR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MEPHBZPNSLX43B26DWKB7OS6AROTS2BO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QQUMIAON2YEFRONMIUVHAKYCIOLICDBA/
- https://security.gentoo.org/glsa/202008-24
- https://security.gentoo.org/glsa/202209-15
- https://security.netapp.com/advisory/ntap-20200717-0005/
- https://usn.ubuntu.com/4433-1/
- https://usn.ubuntu.com/4453-1/
- https://www.debian.org/security/2020/dsa-4734
- https://www.oracle.com/security-alerts/cpujul2020.html
