CVE-2019-2989

Name of the Vulnerable Software and Affected Versions Java SE versions 7u231, 8u221, 11.0.4, and 13 Java SE Embedded version 8u221 Oracle GraalVM Enterprise Edition version 19.2.0

Description The issue is related to errors in handling HTTP proxy responses in the Java virtual machine component. It may allow a remote attacker to compromise the integrity of protected information. The vulnerability is difficult to exploit and can be used by an unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, and Oracle GraalVM Enterprise Edition. Successful attacks can result in unauthorized creation, deletion, or modification of access to critical data or all accessible data. This vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through the use of APIs in the specified component.

Recommendations For Java SE versions 7u231, 8u221, 11.0.4, and 13, update to a version that includes the fix for this vulnerability. For Java SE Embedded version 8u221, update to a version that includes the fix for this vulnerability. For Oracle GraalVM Enterprise Edition version 19.2.0, update to a version that includes the fix for this vulnerability. As a temporary workaround, consider restricting access to the Java SE Serialization component until a patch is available. Restrict access to the vulnerable Java virtual machine component to minimize the risk of exploitation.