CVE-2020-2767: 
NixOS vulnerability analysis and mitigation

Vulnerability in the Java SE product of Oracle Java SE (component: JSSE) affecting versions 11.0.6 and 14. The vulnerability was discovered by researchers from Ruhr-University Bochum including Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget, and was disclosed in April 2020 (Oracle CPU).

The vulnerability involves incorrect handling of certificate messages during TLS handshakes. It has a CVSS v3.0 base score of 4.8 (MEDIUM) with the vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. This indicates it requires network access, has high attack complexity, requires no privileges or user interaction, and can result in low confidentiality and integrity impacts (NVD).

Successful exploitation could result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. The vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets, or by supplying data to APIs without using sandboxed applications (Oracle CPU).

Oracle released patches for affected versions in the April 2020 Critical Patch Update. Multiple Linux distributions also released fixes including Ubuntu (openjdk-11 version 11.0.7+10), Debian (version 11.0.7+10-3~deb10u1), and OpenSUSE (java-11-openjdk version 11.0.7.0) (Ubuntu Notice, Debian Advisory, OpenSUSE Update).