Bug 1823215 (CVE-2020-2756)

Summary: CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahughes, bkearney, dbhole, java-qa, jvanek, kyoshida, security-response-team, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-21 16:32:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1810784, 1810785, 1810786, 1810787, 1810788, 1810789, 1810790, 1810791, 1810792, 1810793, 1810794, 1821435, 1821436, 1821437, 1826103, 1826104, 1832246, 1832247, 1832248, 1832249, 1832250, 1832251, 1832252, 1832253, 1832254    
Bug Blocks: 1810559    

Description Tomas Hoger 2020-04-12 19:58:26 UTC
A flaw was found in the Serialization component of OpenJDK.  A reference to an uninitialized class descriptor encountered during object stream deserialization could cause an unexpected exception to be raised when processing an untrusted serialized input.

Comment 1 Tomas Hoger 2020-04-14 21:26:24 UTC
Public now via Oracle CPU April 2020:

https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixJAVA

Fixed in Oracle Java SE 14.0.1, 11.0.7, 8u251, and 7u261.

Comment 2 errata-xmlrpc 2020-04-21 09:32:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1508 https://access.redhat.com/errata/RHSA-2020:1508

Comment 3 errata-xmlrpc 2020-04-21 10:20:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1507 https://access.redhat.com/errata/RHSA-2020:1507

Comment 4 errata-xmlrpc 2020-04-21 10:21:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:1506 https://access.redhat.com/errata/RHSA-2020:1506

Comment 5 errata-xmlrpc 2020-04-21 11:17:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1509 https://access.redhat.com/errata/RHSA-2020:1509

Comment 6 errata-xmlrpc 2020-04-21 11:31:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1512 https://access.redhat.com/errata/RHSA-2020:1512

Comment 7 errata-xmlrpc 2020-04-21 16:31:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1514 https://access.redhat.com/errata/RHSA-2020:1514

Comment 8 Product Security DevOps Team 2020-04-21 16:32:34 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2756

Comment 9 errata-xmlrpc 2020-04-22 09:14:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1517 https://access.redhat.com/errata/RHSA-2020:1517

Comment 10 errata-xmlrpc 2020-04-22 09:17:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:1516 https://access.redhat.com/errata/RHSA-2020:1516

Comment 11 errata-xmlrpc 2020-04-22 09:33:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1515 https://access.redhat.com/errata/RHSA-2020:1515

Comment 13 errata-xmlrpc 2020-05-20 14:24:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2020:2236 https://access.redhat.com/errata/RHSA-2020:2236

Comment 14 errata-xmlrpc 2020-05-20 14:25:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2020:2237 https://access.redhat.com/errata/RHSA-2020:2237

Comment 15 errata-xmlrpc 2020-05-20 14:25:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2020:2239 https://access.redhat.com/errata/RHSA-2020:2239

Comment 16 errata-xmlrpc 2020-05-20 14:25:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2020:2238 https://access.redhat.com/errata/RHSA-2020:2238

Comment 17 errata-xmlrpc 2020-05-20 16:03:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2241 https://access.redhat.com/errata/RHSA-2020:2241