CVE-2020-2803

8.3 HIGH

📋 TL;DR

This vulnerability in Oracle Java SE and Java SE Embedded allows an attacker to compromise Java deployments via multiple network protocols. It primarily affects client-side Java deployments running sandboxed Java Web Start applications or applets that load untrusted code from the internet. Successful exploitation requires human interaction from someone other than the attacker.

💻 Affected Systems

Products:

Oracle Java SE
Oracle Java SE Embedded

Versions: Java SE: 7u251, 8u241, 11.0.6, 14; Java SE Embedded: 8u241

Operating Systems: All platforms running affected Java versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments loading untrusted code (e.g., Java Web Start/applets from internet). Does not affect server deployments running only trusted code.

📦 What is this software?

7 Mode Transition Tool by Netapp

View all CVEs affecting 7 Mode Transition Tool →

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Active Iq Unified Manager by Netapp

View all CVEs affecting Active Iq Unified Manager →

Cloud Backup by Netapp

View all CVEs affecting Cloud Backup →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

E Series Performance Analyzer by Netapp

View all CVEs affecting E Series Performance Analyzer →

E Series Santricity Os Controller by Netapp

View all CVEs affecting E Series Santricity Os Controller →

E Series Santricity Web Services by Netapp

View all CVEs affecting E Series Santricity Web Services →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Jdk by Oracle

View all CVEs affecting Jdk →

Jre by Oracle

View all CVEs affecting Jre →

Jre by Oracle

View all CVEs affecting Jre →

Jre by Oracle

View all CVEs affecting Jre →

Jre by Oracle

View all CVEs affecting Jre →

Leap by Opensuse

View all CVEs affecting Leap →

Leap by Opensuse

View all CVEs affecting Leap →

Oncommand Insight by Netapp

View all CVEs affecting Oncommand Insight →

Oncommand Workflow Automation by Netapp

View all CVEs affecting Oncommand Workflow Automation →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Openjdk by Oracle

View all CVEs affecting Openjdk →

Plug In For Symantec Netbackup by Netapp

View all CVEs affecting Plug In For Symantec Netbackup →

Santricity Unified Manager by Netapp

View all CVEs affecting Santricity Unified Manager →

Snapmanager by Netapp

View all CVEs affecting Snapmanager →

Snapmanager by Netapp

View all CVEs affecting Snapmanager →

Steelstore Cloud Integrated Storage by Netapp

View all CVEs affecting Steelstore Cloud Integrated Storage →

Storagegrid by Netapp

View all CVEs affecting Storagegrid →

Storagegrid by Netapp

View all CVEs affecting Storagegrid →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete takeover of Java SE/Java SE Embedded, potentially leading to full system compromise with confidentiality, integrity, and availability impacts.

🟠

Likely Case

Compromise of client systems through malicious Java applets or Web Start applications, potentially leading to data theft or malware installation.

🟢

If Mitigated

Limited impact if only trusted code is executed or if Java is disabled/removed from internet-facing systems.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: HIGH

Exploitation requires human interaction (victim must interact with malicious content) and is difficult to exploit according to CVSS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251

Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2020.html

Restart Required: Yes

Instructions:

1. Download latest Java updates from Oracle. 2. Uninstall old Java versions. 3. Install patched versions. 4. Restart affected systems.

🔧 Temporary Workarounds

Disable Java in browsers

all

Prevent Java applets from running in web browsers

Browser-specific: Disable Java plugin/add-on

Remove Java Web Start

all

Uninstall or disable Java Web Start functionality

sudo apt remove icedtea-netx (Linux)
Control Panel > Programs > Uninstall Java (Windows)

🧯 If You Can't Patch

Disable Java completely on internet-facing systems
Implement network segmentation to isolate Java-dependent applications

🔍 How to Verify

Check if Vulnerable:

Check Java version with 'java -version' and compare to affected versions list

Check Version:

java -version

Verify Fix Applied:

Verify installed Java version is equal to or higher than patched versions

📡 Detection & Monitoring

Log Indicators:

Unusual Java process activity
Java Web Start/applet execution from untrusted sources

Network Indicators:

Java-related network traffic to suspicious destinations
Multiple protocol connections to Java services

SIEM Query:

source="java" AND (event="WebStart" OR event="applet") AND dest_ip NOT IN trusted_networks

📊 Metadata

CVE ID: CVE-2020-2803

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Published: April 15, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
https://security.gentoo.org/glsa/202006-22 Third Party Advisory
https://security.gentoo.org/glsa/202209-15 Third Party Advisory
https://security.netapp.com/advisory/ntap-20200416-0004/ Third Party Advisory
https://usn.ubuntu.com/4337-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4662 Third Party Advisory
https://www.debian.org/security/2020/dsa-4668 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
https://security.gentoo.org/glsa/202006-22 Third Party Advisory
https://security.gentoo.org/glsa/202209-15 Third Party Advisory
https://security.netapp.com/advisory/ntap-20200416-0004/ Third Party Advisory
https://usn.ubuntu.com/4337-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4662 Third Party Advisory
https://www.debian.org/security/2020/dsa-4668 Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Vendor Advisory