CVE-2020-14782: 
NixOS vulnerability analysis and mitigation

CVE-2020-14782 is a vulnerability discovered in Java SE and Java SE Embedded products affecting versions 7u271, 8u261, 11.0.8 and 15 (Java SE) and 8u261 (Java SE Embedded). The vulnerability was disclosed in October 2020 and affects the Libraries component (Oracle CPU).

This is a difficult to exploit vulnerability that allows unauthenticated attackers with network access via multiple protocols to compromise Java SE and Java SE Embedded. The vulnerability is related to certificate blacklist bypass via alternate certificate encodings in the Libraries component. It has a CVSS 3.1 Base Score of 3.7 (LOW) with a vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some Java SE and Java SE Embedded accessible data. The vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets, as well as by supplying data to APIs without using sandboxed applications (Oracle CPU).

Oracle released patches for affected versions as part of their October 2020 Critical Patch Update. Users should upgrade to the fixed versions: Java SE versions 7u271, 8u261, 11.0.8 and 15. For Java SE Embedded, users should upgrade to version 8u261. All running instances of Java must be restarted for the updates to take effect (Red Hat).