CVE-2020-2805: 
NixOS vulnerability analysis and mitigation

CVE-2020-2805 is a vulnerability discovered in Java SE and Java SE Embedded affecting versions 7u251, 8u241, 11.0.6, and 14 (Java SE) and 8u241 (Java SE Embedded). The vulnerability was disclosed in April 2020 and involves incorrect type checks in the MethodType.readObject() method in the Libraries component (Oracle Advisory).

The vulnerability stems from incorrect type checks in the MethodType.readObject() method within the Libraries component of Java SE. It has been assigned a CVSS v3.0 base score of 8.3 (High) with the vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H. The vulnerability is considered difficult to exploit and requires human interaction from someone other than the attacker (NVD).

Successful exploitation of this vulnerability can result in complete takeover of Java SE or Java SE Embedded. The vulnerability primarily affects Java deployments that load and run untrusted code (e.g., code from the internet) and rely on the Java sandbox for security. It does not affect Java deployments that only load and run trusted code (Oracle Advisory).

Oracle released patches for affected versions in their April 2020 Critical Patch Update. The fixed versions include Java SE versions 7u261, 8u252, 11.0.7, and 14.0.1. Users are strongly recommended to update to these patched versions. For systems that cannot be immediately updated, it may be possible to reduce risk by blocking network protocols required for attacks and removing privileges from users who don't need access to affected packages (Oracle Advisory).