CVE-2020-2756: 
NixOS vulnerability analysis and mitigation

CVE-2020-2756 is a vulnerability discovered in Oracle Java SE and Java SE Embedded affecting versions Java SE: 7u251, 8u241, 11.0.6, 14 and Java SE Embedded: 8u241. The vulnerability is related to the Serialization component and involves incorrect handling of serial ENUMs (Oracle Advisory).

This is a difficult to exploit vulnerability that allows unauthenticated attackers with network access via multiple protocols to compromise Java SE and Java SE Embedded. The vulnerability has a CVSS 3.0 Base Score of 3.7 (Low) with the vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability is related to the mapping of serial ENUMs in the Serialization component (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE and Java SE Embedded. The vulnerability affects both client and server deployments of Java and can be exploited through sandboxed Java Web Start applications and sandboxed Java applets, as well as through data supplied to APIs without using sandboxed applications (NVD).

Oracle released patches for affected versions in their April 2020 Critical Patch Update. Various Linux distributions have also released security updates including Ubuntu (versions 19.10, 18.04, 16.04), Debian (versions 8, 9, 10), and Fedora (versions 30, 31, 32). Users are strongly recommended to update to the patched versions (Ubuntu Security, Debian Security).