CVE-2020-2601 - Vulnerability Details

- OpenJDK: Use of unsafe RSA-MD5 checksum in Kerberos TGS (Security, 8229951)

Description

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).

Published: 2020-01-15

Score: 6.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Java

affected

Version	Status	Constraints
`Java SE: 7u241, 8u231, 11.0.5, 13.0.1`	affected	—
`Java SE Embedded: 8u231`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:oracle:jdk:1.7.0:update241::::::
	cpe:2.3:a:oracle:jdk:1.8.0:update231::::::
	cpe:2.3:a:oracle:jdk:11.0.5:::::::*
	cpe:2.3:a:oracle:jdk:13.0.1:::::::*
	cpe:2.3:a:oracle:jre:1.7.0:update_241::::::
	cpe:2.3:a:oracle:jre:1.8.0:update_231::::::
	cpe:2.3:a:oracle:jre:11.0.5:::::::*
	cpe:2.3:a:oracle:jre:13.0.1:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:openjdk:7:-::::::
	cpe:2.3:a:oracle:openjdk:7:update241::::::
	cpe:2.3:a:oracle:openjdk:7:update80::::::
	cpe:2.3:a:oracle:openjdk:7:update85::::::
	cpe:2.3:a:oracle:openjdk:8:-::::::
	cpe:2.3:a:oracle:openjdk:8:update102::::::
	cpe:2.3:a:oracle:openjdk:8:update112::::::
	cpe:2.3:a:oracle:openjdk:8:update152::::::
	cpe:2.3:a:oracle:openjdk:8:update162::::::
	cpe:2.3:a:oracle:openjdk:8:update172::::::
	cpe:2.3:a:oracle:openjdk:8:update192::::::
	cpe:2.3:a:oracle:openjdk:8:update20::::::
	cpe:2.3:a:oracle:openjdk:8:update202::::::
	cpe:2.3:a:oracle:openjdk:8:update212::::::
	cpe:2.3:a:oracle:openjdk:8:update222::::::
	cpe:2.3:a:oracle:openjdk:8:update232::::::
	cpe:2.3:a:oracle:openjdk:8:update40::::::
	cpe:2.3:a:oracle:openjdk:8:update60::::::
	cpe:2.3:a:oracle:openjdk:8:update66::::::
	cpe:2.3:a:oracle:openjdk:8:update72::::::
	cpe:2.3:a:oracle:openjdk:8:update92::::::
	cpe:2.3:a:oracle:openjdk:11:::::::*
	cpe:2.3:a:oracle:openjdk:11.0.1:::::::*
	cpe:2.3:a:oracle:openjdk:11.0.2:::::::*
	cpe:2.3:a:oracle:openjdk:11.0.3:::::::*
	cpe:2.3:a:oracle:openjdk:11.0.4:::::::*
	cpe:2.3:a:oracle:openjdk:11.0.5:::::::*
	cpe:2.3:a:oracle:openjdk:13:::::::*
	cpe:2.3:a:oracle:openjdk:13.0.1:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 4 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:19.10:::::::*

Configuration 5 [-]

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 6 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*
	cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*
	cpe:2.3:a:netapp:e-series_performance_analyzer:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_management:-:::::vmware_vcenter::
	cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::
	cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_web_services:-:::::web_services_proxy::
	cpe:2.3:a:netapp:oncommand_insight:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:santricity_unified_manager:-:::::::*
	cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:::::::*

Configuration 7 [-]

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 6
java-1.8.0-openjdk-1:1.8.0.242.b07-1.el6_10	cpe:/o:redhat:enterprise_linux:6	RHSA-2020:0157	2020-01-21T00:00:00Z
java-1.7.0-openjdk-1:1.7.0.251-2.6.21.0.el6_10	cpe:/o:redhat:enterprise_linux:6	RHSA-2020:0632	2020-02-27T00:00:00Z
Red Hat Enterprise Linux 6 Supplementary
java-1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el6_10	cpe:/a:redhat:rhel_extras:6	RHSA-2020:3387	2020-08-10T00:00:00Z
Red Hat Enterprise Linux 7
java-11-openjdk-1:11.0.6.10-1.el7_7	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:0122	2020-01-16T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.242.b08-0.el7_7	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:0196	2020-01-21T00:00:00Z
java-1.7.0-openjdk-1:1.7.0.251-2.6.21.0.el7_7	cpe:/o:redhat:enterprise_linux:7	RHSA-2020:0541	2020-02-19T00:00:00Z
Red Hat Enterprise Linux 7 Supplementary
java-1.7.1-ibm-1:1.7.1.4.70-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2020:3388	2020-08-10T00:00:00Z
java-1.8.0-ibm-1:1.8.0.6.20-1jpp.1.el7	cpe:/a:redhat:rhel_extras:7	RHSA-2020:5585	2020-12-16T00:00:00Z
Red Hat Enterprise Linux 8
java-11-openjdk-1:11.0.6.10-0.el8_1	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:0128	2020-01-16T00:00:00Z
java-1.8.0-openjdk-1:1.8.0.242.b08-0.el8_1	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:0202	2020-01-24T00:00:00Z
java-1.8.0-ibm-1:1.8.0.6.15-1.el8_2	cpe:/a:redhat:enterprise_linux:8::supplementary	RHSA-2020:3386	2020-08-10T00:00:00Z
Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions
java-1.8.0-openjdk-1:1.8.0.242.b08-0.el8_0	cpe:/a:redhat:rhel_e4s:8.0	RHSA-2020:0231	2020-01-27T00:00:00Z
java-11-openjdk-1:11.0.6.10-0.el8_0	cpe:/a:redhat:rhel_e4s:8.0	RHSA-2020:0232	2020-01-27T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-2128-1	openjdk-7 security update
Debian DSA	DSA-4605-1	openjdk-11 security update
Debian DSA	DSA-4621-1	openjdk-8 security update
EUVD	EUVD-2020-22394	Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Security). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. While the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 6.8 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
Ubuntu USN	USN-4257-1	OpenJDK vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00637.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00050.html
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00060.html
https://access.redhat.com/errata/RHSA-2020:0122
https://access.redhat.com/errata/RHSA-2020:0128
https://access.redhat.com/errata/RHSA-2020:0157
https://access.redhat.com/errata/RHSA-2020:0196
https://access.redhat.com/errata/RHSA-2020:0202
https://access.redhat.com/errata/RHSA-2020:0231
https://access.redhat.com/errata/RHSA-2020:0232
https://access.redhat.com/errata/RHSA-2020:0541
https://access.redhat.com/errata/RHSA-2020:0632
https://lists.debian.org/debian-lts-announce/2020/02/msg00034.html
https://nvd.nist.gov/vuln/detail/CVE-2020-2601
https://seclists.org/bugtraq/2020/Feb/22
https://seclists.org/bugtraq/2020/Jan/24
https://security.gentoo.org/glsa/202101-19
https://security.netapp.com/advisory/ntap-20200122-0003/
https://usn.ubuntu.com/4257-1/
https://www.cve.org/CVERecord?id=CVE-2020-2601
https://www.debian.org/security/2020/dsa-4605
https://www.debian.org/security/2020/dsa-4621
https://www.oracle.com/security-alerts/cpujan2020.html

History

Mon, 30 Sep 2024 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Subscriptions

Canonical Ubuntu Linux

Debian Debian Linux

Netapp Active Iq Unified Manager E-series Performance Analyzer E-series Santricity Management E-series Santricity Os Controller E-series Santricity Storage Manager E-series Santricity Web Services Oncommand Insight Oncommand Workflow Automation Santricity Unified Manager Steelstore Cloud Integrated Storage

Opensuse Leap

Oracle Jdk Jre Openjdk

Redhat Enterprise Linux Enterprise Linux Desktop Enterprise Linux Eus Enterprise Linux Server Enterprise Linux Server Aus Enterprise Linux Server Tus Enterprise Linux Workstation Rhel E4s Rhel Extras

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2020-01-15T16:34:02.000Z

Updated: 2024-09-30T16:22:28.344Z

Reserved: 2019-12-10T00:00:00.000Z

Link: CVE-2020-2601

Vulnrichment

Updated: 2024-08-04T07:09:54.842Z

NVD

Status : Modified

Published: 2020-01-15T17:15:20.300

Modified: 2024-11-21T05:25:41.657

Link: CVE-2020-2601

Redhat

Severity : Important

Publid Date: 2020-01-14T00:00:00Z

Links: CVE-2020-2601 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object