CVE-2020-2778: 
NixOS vulnerability analysis and mitigation

CVE-2020-2778 is a vulnerability discovered in Oracle Java SE (component: JSSE) affecting versions 11.0.6 and 14. The vulnerability relates to the incorrect handling of SSLParameters in setAlgorithmConstraints(), which was discovered by Peter Dettman of cryptoworkshop.com (Oracle CPU). The vulnerability was disclosed in April 2020 as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability is characterized by a CVSS Base Score of 3.7 (Low) with a vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. It is difficult to exploit and requires network access via HTTPS. The vulnerability stems from incorrect handling of SSLParameters in setAlgorithmConstraints(), which could potentially be exploited to override the defined systems security policy (NetApp Advisory).

Successful exploitation of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. The vulnerability could potentially lead to the use of weak crypto algorithms that should be disabled, effectively bypassing the system's security policy (Ubuntu Notice).

Oracle released patches for affected versions as part of the April 2020 Critical Patch Update. Various Linux distributions have also provided security updates, including Ubuntu (versions 19.10, 18.04, 16.04) with package updates to openjdk-11 version 11.0.7+10 (Ubuntu Notice), and Debian with version 11.0.7+10-3~deb10u1 for the stable distribution (Debian Advisory).