5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7 High
AI Score
Confidence
Low
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
75.2%
Issue Overview:
OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786)
OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769)
libpng: png_image_free in png.c in libpng has a use-after-free because png_image_free_function is called under png_safe_execute. (CVE-2019-7317)
OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762)
OpenJDK: Insufficient permission checks for file:// URLs on Windows (Networking, 8213431) (CVE-2019-2766)
OpenJDK: Non-constant time comparison in ChaCha20Cipher (Security, 8221344) (
CVE-2019-2818)
OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816)
OpenJDK: Side-channel attack risks in Elliptic Curve (EC) cryptography (Security, 8208698) (CVE-2019-2745)
OpenJDK: Incorrect handling of certificate status messages during TLS handshake (JSSE, 8222678) (CVE-2019-2821)
Affected Packages:
java-11-amazon-corretto
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update java-11-amazon-corretto to update your system.
New Packages:
aarch64:
java-11-amazon-corretto-11.0.4+11-1.amzn2.aarch64
java-11-amazon-corretto-headless-11.0.4+11-1.amzn2.aarch64
java-11-amazon-corretto-javadoc-11.0.4+11-1.amzn2.aarch64
src:
java-11-amazon-corretto-11.0.4+11-1.amzn2.src
x86_64:
java-11-amazon-corretto-11.0.4+11-1.amzn2.x86_64
java-11-amazon-corretto-headless-11.0.4+11-1.amzn2.x86_64
java-11-amazon-corretto-javadoc-11.0.4+11-1.amzn2.x86_64
Red Hat: CVE-2019-2745, CVE-2019-2762, CVE-2019-2766, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2818, CVE-2019-2821, CVE-2019-7317
Mitre: CVE-2019-2745, CVE-2019-2762, CVE-2019-2766, CVE-2019-2769, CVE-2019-2786, CVE-2019-2816, CVE-2019-2818, CVE-2019-2821, CVE-2019-7317
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7 High
AI Score
Confidence
Low
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
75.2%