CVE-2019-2996

Name of the Vulnerable Software and Affected Versions Java SE versions 8u221 Java SE Embedded versions 8u221

Description The issue is related to inadequate access control in the Deployment component of Oracle Java SE and Java SE Embedded. This could allow a remote attacker to modify, add, or delete data, or gain unauthorized access to protected information using the HTTP protocol. The vulnerability is difficult to exploit and requires human interaction from a person other than the attacker. Successful attacks can result in unauthorized access to some Java SE and Java SE Embedded accessible data. This vulnerability applies to Java deployments that load and run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets, and rely on the Java sandbox for security.

Recommendations For Java SE version 8u221, update to a version that includes the fix for this vulnerability. For Java SE Embedded version 8u221, update to a version that includes the fix for this vulnerability. As a temporary workaround, consider restricting access to the Deployment component until a patch is available. Avoid using the HTTP protocol to access sensitive data until the issue is resolved.