Vulnerabilities > CVE-2020-2764 - Unspecified vulnerability in Oracle Java Advanced Management Console 2.16

047910
CVSS 3.7 - LOW
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
LOW
Integrity impact
NONE
Availability impact
NONE
network
high complexity
oracle
nessus

Summary

Vulnerability in the Java SE product of Oracle Java SE (component: Advanced Management Console). The supported version that is affected is Java Advanced Management Console: 2.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Vulnerable Configurations

Part Description Count
Application
Oracle
1

Nessus

  • NASL familyWindows
    NASL idORACLE_JAVA_CPU_APR_2020.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update 261, 8 Update 251, 11 Update 7, or 14 Update 1. It is, therefore, affected by multiple vulnerabilities related to the following components : - Oracle Java SE and Java SE Embedded are prone to a buffer overflow attack, over
    last seen2020-04-23
    modified2020-04-16
    plugin id135592
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135592
    titleOracle Java SE 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1 Multiple Vulnerabilities (Apr 2020 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135592);
      script_version("1.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/17");
    
      script_cve_id(
        "CVE-2019-18197",
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2764",
        "CVE-2020-2767",
        "CVE-2020-2773",
        "CVE-2020-2778",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2816",
        "CVE-2020-2830"
      );
      script_xref(name:"IAVA", value:"2020-A-0134-S");
    
      script_name(english:"Oracle Java SE 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1 Multiple Vulnerabilities (Apr 2020 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by multiple vulnerabilities");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update
    261, 8 Update 251, 11 Update 7, or 14 Update 1. It is, therefore, affected by multiple vulnerabilities related to the
    following components :
    
      - Oracle Java SE and Java SE Embedded are prone to a buffer overflow attack, over 'Multiple' protocol.
        This issue affects the 'JavaFX (libxslt)' component. Successful attacks of this vulnerability allow 
        unauthenticated attacker with network access to takeover of Java SE. (CVE-2019-18197)
    
      - Oracle Java SE and Java SE Embedded are prone to partial denial of service (partial DOS) vulnerability.
        An unauthenticated remote attacker can exploit this over 'Multiple' protocol. This issue affects the
        'Scripting' component. (CVE-2020-2754, CVE-2020-2755)
    
      - Oracle Java SE and Java SE Embedded are prone to partial denial of service (partial DOS) vulnerability.
        An unauthenticated remote attacker can exploit this over 'Multiple' protocol. This issue affects the
        'Serialization' component. (CVE-2020-2756, CVE-2020-2757)
    
      - Oracle Java SE prone to unauthorized read access vulnerability. An unauthenticated remote attacker can
        exploit this over 'Multiple' protocol can result in unauthorized read access to a subset of Java SE
        accessible data. This issue affects the 'Advanced Management Console' component. (CVE-2020-2764)
    
      - Oracle Java SE and Java SE Embedded are prone to unauthorized write/read access vulnerability. An
        unauthenticated remote attacker over 'HTTPS' can read, update, insert or delete access to some of Java SE
        accessible data. This issue affects the 'JSSE' component. (CVE-2020-2767)
    
      - Oracle Java SE and Java SE Embedded are prone to partial denial of service (partial DOS) vulnerability.
        An unauthenticated remote attacker can exploit this over 'Multiple' protocol. This issue affects the
        'Scripting' component. (CVE-2020-2773)
    
    It is also affected by other vulnerabilities; please see vendor advisories for more information.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpuapr2020cvrf.xml");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle JDK / JRE 14 Update 1 , 11 Update 7, 8 Update 251 , 7 Update 261 or later.
    If necessary, remove any affected versions.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("sun_java_jre_installed.nasl");
      script_require_keys("SMB/Java/JRE/Installed");
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    
    # Check each installed JRE.
    installs = get_kb_list_or_exit("SMB/Java/JRE/*");
    
    info = "";
    vuln = 0;
    installed_versions = "";
    
    foreach install (list_uniq(keys(installs)))
    {
      ver = install - "SMB/Java/JRE/";
      if (ver !~ "^[0-9.]+") continue;
    
      installed_versions = installed_versions + " & " + ver;
    
      # Fixes : (JDK|JRE) 13 Update 2 / 11 Update 6 / 8 Update 214 / 7 Update 251 
      if (
        ver_compare(minver:"1.7.0", ver:ver, fix:"1.7.0_261", regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:"1.8.0", ver:ver, fix:"1.8.0_251", regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:"1.11.0", ver:ver, fix:"1.11.0_7", regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:"1.13.0", ver:ver, fix:"1.14.0_1", regexes:{0:"_(\d+)"}, strict:FALSE) < 0 
    
      )
      {
        dirs = make_list(get_kb_list(install));
        vuln += max_index(dirs);
    
        foreach dir (dirs)
          info += '\n  Path              : ' + dir;
    
        info += '\n  Installed version : ' + ver;
        info += '\n  Fixed version     : 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1\n';
      }
    }
    
    # Report if any were found to be vulnerable.
    if (info)
    {
      port = get_kb_item("SMB/transport");
      if (!port) port = 445;
    
      if (vuln > 1) s = "s of Java are";
      else s = " of Java is";
    
      report =
        '\n' +
        'The following vulnerable instance'+s+' installed on the\n' +
        'remote host :\n' +
        info;
      security_report_v4(severity:SECURITY_WARNING, port:port, extra:report);
    }
    else
    {
      installed_versions = substr(installed_versions, 3);
      if (" & " >< installed_versions)
        exit(0, "The Java "+installed_versions+" installations on the remote host are not affected.");
      else
        audit(AUDIT_INST_VER_NOT_VULN, "Java", installed_versions);
    }
    
  • NASL familyMisc.
    NASL idORACLE_JAVA_CPU_APR_2020_UNIX.NASL
    descriptionThe version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update 261, 8 Update 251, 11 Update 7, or 14 Update 1. It is, therefore, affected by multiple vulnerabilities related to the following components : - Oracle Java SE and Java SE Embedded are prone to a buffer overflow attack, over
    last seen2020-05-23
    modified2020-04-16
    plugin id135591
    published2020-04-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135591
    titleOracle Java SE 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1 Multiple Vulnerabilities (Apr 2020 CPU) (Unix)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(135591);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/17");
    
      script_cve_id(
        "CVE-2019-18197",
        "CVE-2020-2754",
        "CVE-2020-2755",
        "CVE-2020-2756",
        "CVE-2020-2757",
        "CVE-2020-2764",
        "CVE-2020-2767",
        "CVE-2020-2773",
        "CVE-2020-2778",
        "CVE-2020-2781",
        "CVE-2020-2800",
        "CVE-2020-2803",
        "CVE-2020-2805",
        "CVE-2020-2816",
        "CVE-2020-2830"
      );
      script_xref(name:"IAVA", value:"2020-A-0134-S");
    
      script_name(english:"Oracle Java SE 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1 Multiple Vulnerabilities (Apr 2020 CPU) (Unix)");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is affected by multiple vulnerabilities");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 7 Update
    261, 8 Update 251, 11 Update 7, or 14 Update 1. It is, therefore, affected by multiple vulnerabilities related to the
    following components :
    
      - Oracle Java SE and Java SE Embedded are prone to a buffer overflow attack, over 'Multiple' protocol.
        This issue affects the 'JavaFX (libxslt)' component. Successful attacks of this vulnerability allow 
        unauthenticated attacker with network access to takeover of Java SE. (CVE-2019-18197)
    
      - Oracle Java SE and Java SE Embedded are prone to partial denial of service (partial DOS) vulnerability.
        An unauthenticated remote attacker can exploit this over 'Multiple' protocol. This issue affects the
        'Scripting' component. (CVE-2020-2754, CVE-2020-2755)
    
      - Oracle Java SE and Java SE Embedded are prone to partial denial of service (partial DOS) vulnerability.
        An unauthenticated remote attacker can exploit this over 'Multiple' protocol. This issue affects the
        'Serialization' component. (CVE-2020-2756, CVE-2020-2757)
    
      - Oracle Java SE prone to unauthorized read access vulnerability. An unauthenticated remote attacker can
        exploit this over 'Multiple' protocol can result in unauthorized read access to a subset of Java SE
        accessible data. This issue affects the 'Advanced Management Console' component. (CVE-2020-2764)
    
      - Oracle Java SE and Java SE Embedded are prone to unauthorized write/read access vulnerability. An
        unauthenticated remote attacker over 'HTTPS' can read, update, insert or delete access to some of Java SE
        accessible data. This issue affects the 'JSSE' component. (CVE-2020-2767)
    
      - Oracle Java SE and Java SE Embedded are prone to partial denial of service (partial DOS) vulnerability.
        An unauthenticated remote attacker can exploit this over 'Multiple' protocol. This issue affects the
        'Scripting' component. (CVE-2020-2773)
    
     It is also affected by other vulnerabilities; please see vendor advisories for more information.
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/a/tech/docs/cpuapr2020cvrf.xml");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2020.html");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle JDK / JRE 14 Update 1 , 11 Update 7 , 8 Update 251 , 7 Update 261 or later.
    If necessary, remove any affected versions.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-2800");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"agent", value:"unix");
      script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/16");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdk");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("sun_java_jre_installed_unix.nasl");
      script_require_keys("Host/Java/JRE/Installed");
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    
    # Check each installed JRE.
    installs = get_kb_list_or_exit('Host/Java/JRE/Unmanaged/*');
    
    info = '';
    vuln = 0;
    vuln2 = 0;
    installed_versions = '';
    granular = '';
    
    foreach install (list_uniq(keys(installs)))
    {
      ver = install - 'Host/Java/JRE/Unmanaged/';
      if (ver !~ "^[0-9.]+") continue;
    
      installed_versions = installed_versions + ' & ' + ver;
    
    # Fixes : (JDK|JRE) 13 Update 2 / 11 Update 6 / 8 Update 241 / 7 Update 251 
      if (
        ver_compare(minver:'1.7.0', ver:ver, fix:'1.7.0_261', regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:'1.8.0', ver:ver, fix:'1.8.0_251', regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:'1.11.0', ver:ver, fix:'1.11.0_7', regexes:{0:"_(\d+)"}, strict:FALSE) < 0 ||
        ver_compare(minver:'1.13.0', ver:ver, fix:'1.14.0_1', regexes:{0:"_(\d+)"}, strict:FALSE) < 0
      )
      {
        dirs = make_list(get_kb_list(install));
        vuln += max_index(dirs);
    
        foreach dir (dirs)
          info += '\n  Path              : ' + dir;
    
        info += '\n  Installed version : ' + ver;
        info += '\n  Fixed version     : 1.7.0_261 / 1.8.0_251 / 1.11.0_7 / 1.14.0_1\n';
      }
      else if (ver =~ "^[\d\.]+$")
      {
        dirs = make_list(get_kb_list(install));
        foreach dir (dirs)
          granular += 'The Oracle Java version '+ver+' at '+dir+' is not granular enough to make a determination.'+'\n';
      }
      else
      {
        dirs = make_list(get_kb_list(install));
        vuln2 += max_index(dirs);
      }
    
    }
    
    # Report if any were found to be vulnerable.
    if (info)
    {
      if (vuln > 1) s = 's of Java are';
      else s = ' of Java is';
    
      report =
        '\n' +
        'The following vulnerable instance'+s+' installed on the\n' +
        'remote host :\n' +
        info;
      security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);
      if (granular) exit(0, granular);
    }
    else
    {
      if (granular) exit(0, granular);
    
      installed_versions = substr(installed_versions, 3);
      if (vuln2 > 1)
        exit(0, 'The Java '+installed_versions+' installations on the remote host are not affected.');
      else
        audit(AUDIT_INST_VER_NOT_VULN, 'Java', installed_versions);
    }