CVE-2020-2816: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in the Java SE product of Oracle Java SE, specifically in the JSSE component. The affected versions include Java SE 11.0.6 and 14. This vulnerability (CVE-2020-2816) was disclosed in April 2020 and involves incorrect handling of application data packets during TLS handshakes (Oracle CPU, NVD).

The vulnerability has a CVSS 3.0 Base Score of 7.5 (High) with the following vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTPS. The attack requires no user interaction and can be executed with low attack complexity (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE accessible data. The vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service (NVD).

Oracle released patches to address this vulnerability in their April 2020 Critical Patch Update. For Ubuntu systems, the fix was included in version 11.0.7+10-2ubuntu1 for focal and similar versions for other releases. OpenSUSE addressed the vulnerability in java-11-openjdk version 11.0.7.0-lp151.3.16.1. Users are strongly recommended to update to these patched versions (Ubuntu Security, OpenSUSE Advisory).