CVE-2020-2773: 
NixOS vulnerability analysis and mitigation

CVE-2020-2773 is a security vulnerability affecting Java SE and Java SE Embedded products. The affected versions include Java SE versions 7u251, 8u241, 11.0.6, 14 and Java SE Embedded version 8u241. This vulnerability was discovered and disclosed in April 2020 (Oracle CPU).

The vulnerability is related to incorrect handling of exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature() in the Security component. It has a CVSS 3.0 Base Score of 3.7 (Low) with the vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE and Java SE Embedded. The vulnerability applies to both client and server deployment of Java and can be exploited through sandboxed Java Web Start applications, sandboxed Java applets, or by supplying data to APIs without using sandboxed applications (CVE).

Oracle released patches for this vulnerability in their April 2020 Critical Patch Update. Users should upgrade to Java SE versions 7u261, 8u252, 11.0.7, or later versions. For Java SE Embedded, users should upgrade to version 8u252 or later. All running instances of Java must be restarted for the patches to take effect (Red Hat).