Vulnerability Name:

CVE-2020-2585 (CCN-174533)

Assigned:2019-12-10
Published:2020-01-14
Updated:2022-10-27
Summary:Vulnerability in the Java SE product of Oracle Java SE (component: JavaFX). The supported version that is affected is Java SE: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:C/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Other
References:Source: MITRE
Type: CNA
CVE-2020-2585

Source: XF
Type: UNKNOWN
oracle-cpujan2020-cve20202585(174533)

Source: GENTOO
Type: Third Party Advisory
GLSA-202006-22

Source: GENTOO
Type: Third Party Advisory
GLSA-202209-15

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20200122-0003/

Source: CCN
Type: Oracle CPUJan2020
Oracle Critical Patch Update Advisory - January 2020

Source: MISC
Type: Patch, Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2020.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:jre:1.8.0:update231:*:*:*:*:*:*
  • OR cpe:/a:oracle:jdk:1.8.0:update231:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/a:netapp:cloud_backup:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
  • OR cpe:/a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:e-series_santricity_management_plug-ins:-:*:*:*:*:vmware_vcenter:*:*
  • OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
  • OR cpe:/a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*
  • OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0 and <= 11.70.2)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.disco:def:202025850000000
    V
    		CVE-2020-2585 on Ubuntu 19.04 (disco) - medium.
    2020-01-15
    oval:com.ubuntu.bionic:def:202025850000000
    V
    		CVE-2020-2585 on Ubuntu 18.04 LTS (bionic) - medium.
    2020-01-15
    oval:com.ubuntu.xenial:def:202025850000000
    V
    		CVE-2020-2585 on Ubuntu 16.04 LTS (xenial) - medium.
    2020-01-15
    BACK
    oracle jre 1.8.0 update231
    oracle jdk 1.8.0 update231
    netapp cloud backup -
    netapp steelstore cloud integrated storage -
    netapp oncommand workflow automation -
    netapp oncommand insight -
    netapp e-series santricity storage manager -
    netapp active iq unified manager -
    netapp santricity unified manager -
    netapp e-series performance analyzer -
    netapp e-series santricity management plug-ins -
    netapp active iq unified manager -
    netapp plug-in for symantec netbackup -
    netapp e-series santricity web services -
    netapp e-series santricity os controller *