CVE-2020-2781: 
NixOS vulnerability analysis and mitigation

CVE-2020-2781 is a vulnerability in Java SE and Java SE Embedded, specifically affecting the Java Secure Socket Extension (JSSE) component. The affected versions include Java SE versions 7u251, 8u241, 11.0.6, 14, and Java SE Embedded version 8u241. This vulnerability was disclosed in April 2020 as part of Oracle's Critical Patch Update (Oracle CPU).

The vulnerability stems from incorrect re-use of single null TLS sessions for new TLS connections. This is an easily exploitable vulnerability that allows unauthenticated attackers with network access via HTTPS to compromise Java SE and Java SE Embedded. The vulnerability has a CVSS Base Score of 5.3 (Medium) with the vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE and Java SE Embedded. The vulnerability applies to both client and server deployment of Java and can be exploited through sandboxed Java Web Start applications and sandboxed Java applets, as well as through data supplied to APIs without using sandboxed applications (Oracle CPU).

Oracle released patches for affected versions in their April 2020 Critical Patch Update. Users should upgrade to the fixed versions: Java SE 7u261, 8u252, 11.0.7, and 14.0.1. For Linux distributions, various vendors have provided security updates including Ubuntu (versions 19.10, 18.04, 16.04), Debian (versions 9 and 10), and OpenSUSE (Ubuntu Notice, Debian Advisory).