OpenJDK Vulnerability Advisory: 2019/10/15

The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 13, 11.0.4, 8u222, 7u231, and earlier. We recommend that you upgrade as soon as possible.

The current and previous advisories are available for reference.

Risk matrix

Affects ...
CVE ID Component CVSSv3 7 8 11 13
CVE-2019-2949 security-libs/
javax.net.ssl
6.8
CVE-2019-2989 core-libs/
java.net
6.8
CVE-2019-2958 core-libs/
java.lang
5.9
CVE-2019-2975 core-libs/
javax.script
4.8
CVE-2019-2977 hotspot/
compiler
4.8
CVE-2019-2999 tools/
javadoc(tool)
4.7
CVE-2019-2981 xml/
jaxp
3.7
CVE-2019-2973 xml/
jaxp
3.7
CVE-2019-2983 client-libs/
2d
3.7
CVE-2019-2988 client-libs/
2d
3.7
CVE-2019-2978 core-libs/
java.net
3.7
CVE-2019-2964 core-libs/
java.util.regex
3.7
CVE-2019-2992 client-libs/
2d
3.7
CVE-2019-2962 client-libs/
2d
3.7
CVE-2019-2987 client-libs/
2d
3.7
CVE-2019-2894 security-libs/
javax.net.ssl
3.7
CVE-2019-2933 core-libs
3.1
CVE-2019-2945 core-libs/
java.net
3.1

Acknowledgements

We acknowledge the following parties for their reports and contributions: Rob Hamm (SAS), Roy Haroush, Imre, Mitah J, Jan Jancar (Masaryk University, Brno, Czech Republic), Mark Thomas (Apache Tomcat), Duong Quoc Tin, Yaqi Guo (Huawei Technologies Co. Ltd.), and Zihang Wang.

We also thank the Leads of the JDK 7 Updates, JDK 8 Updates, and JDK 11 Updates Projects for providing the risk-matrix information for their releases.

How to report a vulnerability

Please see the reporting instructions for information about how to report a vulnerability.

Last update: 2019/10/15 17:10 UTC