Bug 1791284 (CVE-2020-2659) - CVE-2020-2659 OpenJDK: Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl (Networking, 8231795)
Summary: CVE-2020-2659 OpenJDK: Incomplete enforcement of maxDatagramSockets limit in ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-2659
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1785757 1785758 1785759 1785760 1785761 1785762 1789444 1789445 1789446 1796801 1796802 1796803 1796804 1796805 1796806 1796807 1796808 1799108 1803860 1803861
Blocks: 1785754
TreeView+ depends on / blocked
 
Reported: 2020-01-15 12:59 UTC by Tomas Hoger
Modified: 2020-03-17 13:11 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-27 15:49:52 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0212 0 None None None 2020-01-23 14:05:02 UTC
Red Hat Product Errata RHBA-2020:0220 0 None None None 2020-01-23 17:00:33 UTC
Red Hat Product Errata RHBA-2020:0225 0 None None None 2020-01-27 01:22:07 UTC
Red Hat Product Errata RHBA-2020:0226 0 None None None 2020-01-27 01:22:52 UTC
Red Hat Product Errata RHBA-2020:0238 0 None None None 2020-01-27 12:25:22 UTC
Red Hat Product Errata RHBA-2020:0240 0 None None None 2020-01-27 12:26:42 UTC
Red Hat Product Errata RHBA-2020:0241 0 None None None 2020-01-27 12:29:20 UTC
Red Hat Product Errata RHBA-2020:0311 0 None None None 2020-01-30 20:06:38 UTC
Red Hat Product Errata RHBA-2020:0318 0 None None None 2020-02-03 10:27:55 UTC
Red Hat Product Errata RHBA-2020:0558 0 None None None 2020-02-20 08:31:12 UTC
Red Hat Product Errata RHBA-2020:0639 0 None None None 2020-02-27 19:30:01 UTC
Red Hat Product Errata RHSA-2020:0157 0 None None None 2020-01-21 03:02:10 UTC
Red Hat Product Errata RHSA-2020:0196 0 None None None 2020-01-21 23:00:58 UTC
Red Hat Product Errata RHSA-2020:0202 0 None None None 2020-01-22 13:04:55 UTC
Red Hat Product Errata RHSA-2020:0231 0 None None None 2020-01-27 08:54:43 UTC
Red Hat Product Errata RHSA-2020:0465 0 None None None 2020-02-11 03:56:50 UTC
Red Hat Product Errata RHSA-2020:0467 0 None None None 2020-02-11 08:28:40 UTC
Red Hat Product Errata RHSA-2020:0468 0 None None None 2020-02-11 08:32:34 UTC
Red Hat Product Errata RHSA-2020:0469 0 None None None 2020-02-11 08:30:41 UTC
Red Hat Product Errata RHSA-2020:0470 0 None None None 2020-02-11 08:33:57 UTC
Red Hat Product Errata RHSA-2020:0541 0 None None None 2020-02-18 15:28:49 UTC
Red Hat Product Errata RHSA-2020:0632 0 None None None 2020-02-27 15:27:14 UTC
Red Hat Product Errata RHSA-2020:0856 0 None None None 2020-03-17 13:11:13 UTC

Description Tomas Hoger 2020-01-15 12:59:17 UTC
It was discovered that the DatagramChannelImpl class in the Networking component of OpenJDK failed to completely enforce the limit of the number of datagram sockets (set using the sun.net.maxDatagramSockets system property) that can be created by a code running with the Java sandbox restrictions.  An untrusted Java code could use this flaw to bypass the intended Java sandbox restriction.

Comment 1 Tomas Hoger 2020-01-15 13:00:16 UTC
Public now via Oracle CPU January 2020:

https://www.oracle.com/security-alerts/cpujan2020.html#AppendixJAVA

Fixed in Oracle Java SE 8u241 and 7u251.

Comment 2 errata-xmlrpc 2020-01-21 03:02:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0157 https://access.redhat.com/errata/RHSA-2020:0157

Comment 3 errata-xmlrpc 2020-01-21 23:00:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0196 https://access.redhat.com/errata/RHSA-2020:0196

Comment 4 errata-xmlrpc 2020-01-22 13:04:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0202 https://access.redhat.com/errata/RHSA-2020:0202

Comment 5 errata-xmlrpc 2020-01-27 08:54:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0231 https://access.redhat.com/errata/RHSA-2020:0231

Comment 8 errata-xmlrpc 2020-02-11 03:56:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0465 https://access.redhat.com/errata/RHSA-2020:0465

Comment 9 errata-xmlrpc 2020-02-11 08:28:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2020:0467 https://access.redhat.com/errata/RHSA-2020:0467

Comment 10 errata-xmlrpc 2020-02-11 08:30:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2020:0469 https://access.redhat.com/errata/RHSA-2020:0469

Comment 11 errata-xmlrpc 2020-02-11 08:32:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2020:0468 https://access.redhat.com/errata/RHSA-2020:0468

Comment 12 errata-xmlrpc 2020-02-11 08:33:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2020:0470 https://access.redhat.com/errata/RHSA-2020:0470

Comment 13 errata-xmlrpc 2020-02-18 15:28:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0541 https://access.redhat.com/errata/RHSA-2020:0541

Comment 14 Tomas Hoger 2020-02-27 14:43:00 UTC
OpenJDK-7 upstream commit:
http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/c9b0a18f082e

OpenJDK-8 upstream commit:
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/9ea5e5b2cd63

Comment 15 errata-xmlrpc 2020-02-27 15:27:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0632 https://access.redhat.com/errata/RHSA-2020:0632

Comment 16 Product Security DevOps Team 2020-02-27 15:49:52 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2659

Comment 19 errata-xmlrpc 2020-03-17 13:11:11 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.8

Via RHSA-2020:0856 https://access.redhat.com/errata/RHSA-2020:0856


Note You need to log in before you can comment on or make changes to this bug.