OpenJDK Vulnerability Advisory: 2019/10/15

The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 13, 11.0.4, 8u222, 7u231, and earlier. We recommend that you upgrade as soon as possible.

The current and previous advisories are available for reference.

Risk matrix

			Affects ...
CVE ID	Component	CVSSv3 Vector	7	8	11	13
CVE-2019-2949	security-libs/ javax.net.ssl	6.8 NHNNCHNN		•	•	•
CVE-2019-2989	core-libs/ java.net	6.8 NHNNCNHN	•	•	•	•
CVE-2019-2958	core-libs/ java.lang	5.9 NHNNUNHN	•	•	•	•
CVE-2019-2975	core-libs/ javax.script	4.8 NHNNUNLL		•	•	•
CVE-2019-2977	hotspot/ compiler	4.8 NHNNULNL			•	•
CVE-2019-2999	tools/ javadoc(tool)	4.7 NHNRCLLN	•	•	•	•
CVE-2019-2981	xml/ jaxp	3.7 NHNNUNNL	•	•	•	•
CVE-2019-2973	xml/ jaxp	3.7 NHNNUNNL	•	•	•	•
CVE-2019-2983	client-libs/ 2d	3.7 NHNNUNNL	•	•	•	•
CVE-2019-2988	client-libs/ 2d	3.7 NHNNUNNL	•	•	•	•
CVE-2019-2978	core-libs/ java.net	3.7 NHNNUNNL	•	•	•	•
CVE-2019-2964	core-libs/ java.util.regex	3.7 NHNNUNNL	•	•	•	•
CVE-2019-2992	client-libs/ 2d	3.7 NHNNUNNL	•	•	•	•
CVE-2019-2962	client-libs/ 2d	3.7 NHNNUNNL	•	•	•	•
CVE-2019-2987	client-libs/ 2d	3.7 NHNNUNNL	•	•	•	•
CVE-2019-2894	security-libs/ javax.net.ssl	3.7 NHNNULNN	•	•	•	•
CVE-2019-2933	core-libs	3.1 NHNRULNN	•	•	•	•
CVE-2019-2945	core-libs/ java.net	3.1 NHNRUNNL	•	•	•	•

Acknowledgements

We acknowledge the following parties for their reports and contributions: Rob Hamm (SAS), Roy Haroush, Imre, Mitah J, Jan Jancar (Masaryk University, Brno, Czech Republic), Mark Thomas (Apache Tomcat), Duong Quoc Tin, Yaqi Guo (Huawei Technologies Co. Ltd.), and Zihang Wang.

We also thank the Leads of the JDK 7 Updates, JDK 8 Updates, and JDK 11 Updates Projects for providing the risk-matrix information for their releases.

How to report a vulnerability

Please see the reporting instructions for information about how to report a vulnerability.

Last update: 2019/10/15 17:10 UTC