CVE-2019-2964

Published: 16 October 2019

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

From the Ubuntu Security Team

It was discovered that the Concurrency subsystem in OpenJDK did not properly bound stack consumption when compiling regular expressions. An attacker could use this to cause a denial of service (application crash).

Priority

Cvss 3 Severity Score

3.7

Score breakdown

Status

Package	Release	Status
openjdk-12 Launchpad, Ubuntu, Debian	bionic	Does not exist
	disco	Ignored (end of life)
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
openjdk-13 Launchpad, Ubuntu, Debian	bionic	Does not exist
	disco	Ignored (end of life)
	eoan	Ignored (end of life)
	focal	Ignored (superseded by openjdk-17)
	groovy	Ignored (end of life)
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
openjdk-7 Launchpad, Ubuntu, Debian	bionic	Does not exist
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	kinetic	Does not exist
	lunar	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
openjdk-8 Launchpad, Ubuntu, Debian	bionic	Released (8u232-b09-0ubuntu1~18.04.1)
	disco	Released (8u232-b09-0ubuntu1~19.04.1)
	eoan	Released (8u232-b09-0ubuntu1.1)
	focal	Not vulnerable (8u232-b09-1)
	groovy	Not vulnerable (8u232-b09-1)
	hirsute	Not vulnerable (8u232-b09-1)
	impish	Not vulnerable (8u232-b09-1)
	jammy	Not vulnerable (8u232-b09-1)
	kinetic	Not vulnerable (8u232-b09-1)
	lunar	Not vulnerable (8u232-b09-1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Released (8u232-b09-0ubuntu1~16.04.1)
openjdk-lts Launchpad, Ubuntu, Debian	bionic	Released (11.0.5+10-0ubuntu1.1~18.04)
	disco	Released (11.0.5+10-0ubuntu1.1~19.04)
	eoan	Released (11.0.5+10-0ubuntu1.1)
	focal	Not vulnerable (11.0.5+10-2ubuntu1)
	groovy	Not vulnerable (11.0.5+10-2ubuntu1)
	hirsute	Not vulnerable (11.0.5+10-2ubuntu1)
	impish	Not vulnerable (11.0.5+10-2ubuntu1)
	jammy	Not vulnerable (11.0.5+10-2ubuntu1)
	kinetic	Not vulnerable (11.0.5+10-2ubuntu1)
	lunar	Not vulnerable (11.0.5+10-2ubuntu1)
	trusty	Does not exist
	upstream	Released (11.0.5+10-1)
	xenial	Does not exist
	Patches: upstream: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/b0cef26e900b

Severity score breakdown

Parameter	Value
Base score	3.7
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	Low
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›