(UPDATE [01/16/2020]: Added clarification as to the source of the information for the source commits)

Earlier today Oracle releases patches for various flavors of Java. At the same time, the open source version of Java – OpenJDK – released their patches as well. The problem is that it is virtually impossible to figure out what the actual bugs are. Here are partial screenshots from Oracle’s critical patch update advisory, text version and the OpenJDK advisory:

The actual CVE descriptions are also cryptic – here is an example of one (CVE-2020-2583):

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u241, 8u231, 11.0.5 and 13.0.1; Java SE Embedded: 8u231. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note : This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS v3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

The problem is that not enough information is being provided in order to make an educated decision, especially in cases where there are limited resources for patching. How do we figure out what the vulnerability actually is?

It is possible to derive the source code changes from the Debian package updates OpenJDK release notes that map the CVEs to the actual source code changesets in the OpenJDK repository (HG and GitHub). For example as seen below, “CVE-2020-2583” links to the source code changes # 8224909:

Looking at the HG repository for OpenJDK and the GitHub mirror it is pretty easy to figure out:

And the actual changes can now be examined in detail:

Based on those sources, we can now reconstruct the actual bugs and their source code changes for JDK 11 ( Debian mesage here based on the OpenJDK release notes here):

CVE ID Component CVSSv3 Commit Description CVE-2020-2604 core-libs/

java.io:serialization 7.1 8231422 (HG / GitHub) Better serial filter handling CVE-2020-2601 security-libs/

java.security 6.8 8229951 (HG / GitHub) Better Ticket Granting Services CVE-2020-2655 security-libs/

javax.net.ssl 4.8 8231780 (HG / GitHub) Better TLS messaging support CVE-2020-2593 core-libs/

java.net 4.8 8228548 (HG / GitHub) Normalize normalization for all CVE-2020-2654 security-libs/

java.security 3.7 8234037 (HG / GitHub) Improve Object Identifier Processing CVE-2020-2590 security-libs/

org.ietf.jgss 3.7 8226352 (HG / GitHub) Improve Kerberos interop capabilities CVE-2020-2583 client-libs/

java.beans 3.7 8224909 (HG / GitHub) Unlink Set of LinkedHashSets

Additionally for CVE-2020-2604, the Oracle release notes include this (JDK bug # corresponds to the commit # above:

Credits

Written by Y. Shafranovich