CVE-2019-2999 - OpenCVE

Vulnerability in the Java SE product of Oracle Java SE (component: Javadoc). Supported versions that are affected are Java SE: 7u231, 8u221, 11.0.4 and 13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE accessible data as well as unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

AV:N/AC:H/Au:N/C:P/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Enterprise Linux Satellite Enterprise Linux Server Tus Enterprise Linux Desktop Enterprise Linux Workstation Enterprise Linux Server Aus Enterprise Linux Server Enterprise Linux Eus
Oracle	Jdk Jre
Opensuse	Leap
Canonical	Ubuntu Linux
Debian	Debian Linux
Netapp	E-series Santricity Unified Manager E-series Santricity Web Services Proxy Snapmanager Oncommand Workflow Automation E-series Santricity Os Controller E-series Santricity Storage Manager

Configuration 1 [-]

OR	cpe:2.3:a:oracle:jdk:1.7.0:update231::::::
	cpe:2.3:a:oracle:jdk:1.8.0:update221::::::
	cpe:2.3:a:oracle:jdk:11.0.4:::::::*
	cpe:2.3:a:oracle:jdk:13.0.0:::::::*
	cpe:2.3:a:oracle:jre:1.7.0:update231::::::
	cpe:2.3:a:oracle:jre:1.8.0:update221::::::
	cpe:2.3:a:oracle:jre:11.0.4:::::::*
	cpe:2.3:a:oracle:jre:13.0.0:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:redhat:satellite:5.8:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::
	cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:::::::*
	cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:snapmanager:-:::::oracle::
	cpe:2.3:a:netapp:snapmanager:-:::::sap::

Configuration 4 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

Configuration 5 [-]

OR	cpe:2.3:o:opensuse:leap:15.0:::::::*
	cpe:2.3:o:opensuse:leap:15.1:::::::*

Configuration 6 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:19.10:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00064.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00066.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00031.html	Mailing List Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Patch Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:3134	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3135	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3136	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3157	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3158	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4109	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4110	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4113	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4115	Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0006	Patch Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0046	Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00005.html	Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/27	Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Oct/31	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20191017-0001/	Third Party Advisory
https://usn.ubuntu.com/4223-1/	Third Party Advisory
https://www.debian.org/security/2019/dsa-4546	Third Party Advisory
https://www.debian.org/security/2019/dsa-4548	Third Party Advisory