PT-2020-1476 · Oracle+5 · Java Se Embedded+7
Published
2020-01-14
·
Updated
2026-05-08
·
CVE-2020-2604
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Java SE versions 7u241, 8u231, 11.0.5, and 13.0.1
Java SE Embedded version 8u231
Description
The issue is related to insufficient access control in the Serialization component of Oracle Java SE and Java SE Embedded. It can be exploited by an unauthenticated attacker with network access via multiple protocols to compromise Java SE and Java SE Embedded, potentially resulting in a takeover. This vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security. It can also be exploited through APIs in the specified component.
Recommendations
For Java SE versions 7u241, 8u231, 11.0.5, and 13.0.1, update to a version that contains a fix for this issue.
For Java SE Embedded version 8u231, update to a version that contains a fix for this issue.
As a temporary workaround, consider restricting access to the Serialization component until a patch is available.
Avoid using APIs in the specified component to supply data from untrusted sources until the issue is resolved.
Exploit
Fix
DoS
Deserialization of Untrusted Data
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Centos
Ibm Aix
Java Platform
Java Se
Java Se Embedded
Red Hat
Suse
Ubuntu