CVE-2020-2805
📋 TL;DR
This vulnerability in Oracle Java SE and Java SE Embedded libraries allows an attacker to compromise Java deployments via multiple network protocols. It primarily affects clients running sandboxed Java Web Start applications or applets that load untrusted code from the internet. Successful exploitation requires human interaction (like clicking a malicious link) but can lead to complete system takeover.
💻 Affected Systems
- Oracle Java SE
- Oracle Java SE Embedded
📦 What is this software?
E Series Santricity Os Controller by Netapp
E Series Santricity Web Services by Netapp
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jdk by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Jre by Oracle
Leap by Opensuse
Leap by Opensuse
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Openjdk by Oracle
Steelstore Cloud Integrated Storage by Netapp
View all CVEs affecting Steelstore Cloud Integrated Storage →
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Java SE/Java SE Embedded deployments leading to full system takeover, data exfiltration, and lateral movement within the network.
Likely Case
Compromise of client systems through malicious Java applets or Web Start applications, potentially leading to credential theft, malware installation, or data loss.
If Mitigated
Limited impact if systems only run trusted code or have Java disabled for untrusted sources; sandbox escape prevented.
🎯 Exploit Status
Exploitation requires human interaction (UI:R in CVSS) and is difficult to exploit (AC:H). No public exploit code identified in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Java SE: 7u261, 8u251, 11.0.7, 14.0.1; Java SE Embedded: 8u251
Vendor Advisory: https://www.oracle.com/security-alerts/cpuapr2020.html
Restart Required: Yes
Instructions:
1. Download latest Java version from Oracle. 2. Uninstall old Java versions. 3. Install patched version. 4. Restart affected systems/applications.
🔧 Temporary Workarounds
Disable Java in browsers
allPrevent Java applets from running in web browsers to block common attack vectors.
Browser-specific: Disable Java plugin/add-on
Restrict Java Web Start
allConfigure systems to only run signed/trusted Java Web Start applications.
Configure Java Control Panel: Security → Exception Site List
🧯 If You Can't Patch
- Disable Java entirely on systems not requiring it
- Implement network segmentation to isolate Java clients from critical assets
🔍 How to Verify
Check if Vulnerable:
Run 'java -version' and check if version matches affected ranges: 7u251, 8u241, 11.0.6, 14, or Java SE Embedded 8u241.Check Version:
java -versionVerify Fix Applied:
Run 'java -version' and confirm version is 7u261+, 8u251+, 11.0.7+, or 14.0.1+.📡 Detection & Monitoring
Log Indicators:
- Unusual Java process spawning
- Java Web Start/applet execution errors
- Security manager violation logs
Network Indicators:
- Unexpected outbound connections from Java processes
- Java network protocol anomalies
SIEM Query:
source="java" AND (event="SecurityException" OR event="sandbox_violation")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://security.gentoo.org/glsa/202209-15
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://usn.ubuntu.com/4337-1/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00023.html
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00048.html
- https://lists.debian.org/debian-lts-announce/2020/04/msg00024.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKAV6KFFAEANXAN73AFTGU7Z6YNRWCXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L7VHC4EW36KZEIDQ56RPCWBZCQELFFKN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYHHHZRHXCBGRHGE5UP7UEB4IZ2QX536/
- https://security.gentoo.org/glsa/202006-22
- https://security.gentoo.org/glsa/202209-15
- https://security.netapp.com/advisory/ntap-20200416-0004/
- https://usn.ubuntu.com/4337-1/
- https://www.debian.org/security/2020/dsa-4662
- https://www.debian.org/security/2020/dsa-4668
- https://www.oracle.com/security-alerts/cpuapr2020.html
