OpenJDK Vulnerability Advisory: 2019/7/16

The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 12.0.1, 11.0.3, 8u212, 7u221, and earlier. We recommend that you upgrade as soon as possible.

The fix for CVE-2019-7317 also addresses CVE-2019-6129.

The current and previous advisories are available for reference.

Risk matrix

Affects ...
CVE ID Component CVSSv3
Vector
7 8 11 12
CVE-2019-7317 client-libs/
java.awt
6.8
NHNRUNHH
CVE-2019-2821 security-libs/
javax.net.ssl
5.3
NHNRUHNN
CVE-2019-2769 core-libs/
java.util
5.3
NLNNUNNL
CVE-2019-2762 core-libs/
java.util
5.3
NLNNUNNL
CVE-2019-2745 security-libs/
java.security
5.1
LHNNUHNN
CVE-2019-2816 core-libs/
java.net
4.8
NHNNULLN
CVE-2019-2842 hotspot/
compiler
3.7
NHNNUNNL
CVE-2019-2786 security-libs/
java.security
3.4
NHNRCLNN
CVE-2019-2818 security-libs/
java.security
3.1
NHNRULNN
CVE-2019-2766 core-libs/
java.net
3.1
NHNRULNN

Acknowledgements

We acknowledge the following parties for their reports and contributions: Jonathan Birch (Microsoft Corporation), William Bonnaventure (SnT SerVal University of Luxembourg), Pete Dettman, Paul Jaklitsch, Mateusz Jurczyk (Google Project Zero), Nati Nimni (Microsoft Security Vulnerability Research), and Keegan Ryan (NCC Group).

We also thank the Leads of the JDK 7 Updates, JDK 8 Updates, and JDK 11 Updates Projects for providing the risk-matrix information for their releases.

How to report a vulnerability

Please see the reporting instructions for information about how to report a vulnerability.

Last update: 2019/7/18 17:10 UTC