CVE-2020-2757: 
NixOS vulnerability analysis and mitigation

CVE-2020-2757 is a vulnerability discovered in Java SE and Java SE Embedded that affects serialization functionality. The vulnerability was disclosed in April 2020 as part of Oracle's Critical Patch Update. It is described as a difficult to exploit vulnerability that allows unauthenticated attackers with network access via multiple protocols to compromise Java SE (Oracle CPU).

The vulnerability is related to uncaught InstantiationError exceptions in ObjectStreamClass during object deserialization. It has a CVSS base score of 3.7 (LOW) with the following vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability affects Java SE versions 7u251, 8u241, 11.0.6, 14 and Java SE Embedded version 8u241 (NIST NVD).

If successfully exploited, this vulnerability could result in a denial of service condition via crafted serialized input. The impact is limited to availability with no direct effects on confidentiality or integrity (Red Hat CVE).

Oracle has released patches to address this vulnerability in Java SE versions 7u261, 8u252, 11.0.7, and 14. Users are advised to update to these patched versions. For systems that cannot be immediately updated, no specific workarounds have been published (Ubuntu Security).