{"id":"USN-3975-1","summary":"openjdk-8, openjdk-lts vulnerabilities","details":"It was discovered that the BigDecimal implementation in OpenJDK performed\nexcessive computation when given certain values. An attacker could use this\nto cause a denial of service (excessive CPU usage). (CVE-2019-2602)\n\nCorwin de Boor and Robert Xiao discovered that the RMI registry\nimplementation in OpenJDK did not properly select the correct skeleton\nclass in some situations. An attacker could use this to possibly escape\nJava sandbox restrictions. (CVE-2019-2684)\n\nMateusz Jurczyk discovered a vulnerability in the 2D component of\nOpenJDK. An attacker could use this to possibly escape Java sandbox\nrestrictions. This issue only affected OpenJDK 8 in Ubuntu 16.04\nLTS. (CVE-2019-2697)\n\nMateusz Jurczyk discovered a vulnerability in the font layout engine\nof OpenJDK's 2D component. An attacker could use this to possibly\nescape Java sandbox restrictions. This issue only affected OpenJDK 8\nin Ubuntu 16.04 LTS. (CVE-2019-2698)\n","modified":"2026-02-10T04:41:31Z","published":"2019-05-13T19:36:19Z","related":["UBUNTU-CVE-2019-2602","UBUNTU-CVE-2019-2684","UBUNTU-CVE-2019-2697","UBUNTU-CVE-2019-2698"],"upstream":["CVE-2019-2602","CVE-2019-2684","CVE-2019-2697","CVE-2019-2698","UBUNTU-CVE-2019-2602","UBUNTU-CVE-2019-2684","UBUNTU-CVE-2019-2697","UBUNTU-CVE-2019-2698"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3975-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2602"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2684"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2697"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2698"}],"affected":[{"package":{"name":"openjdk-8","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/openjdk-8@8u212-b03-0ubuntu1.16.04.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8u212-b03-0ubuntu1.16.04.1"}]}],"versions":["8u66-b01-5","8u72-b05-1ubuntu1","8u72-b05-5","8u72-b05-6","8u72-b15-1","8u72-b15-2ubuntu1","8u72-b15-2ubuntu3","8u72-b15-3ubuntu1","8u77-b03-1ubuntu2","8u77-b03-3ubuntu1","8u77-b03-3ubuntu2","8u77-b03-3ubuntu3","8u91-b14-0ubuntu4~16.04.1","8u91-b14-3ubuntu1~16.04.1","8u111-b14-2ubuntu0.16.04.2","8u121-b13-0ubuntu1.16.04.2","8u131-b11-0ubuntu1.16.04.2","8u131-b11-2ubuntu1.16.04.2","8u131-b11-2ubuntu1.16.04.3","8u151-b12-0ubuntu0.16.04.2","8u162-b12-0ubuntu0.16.04.2","8u171-b11-0ubuntu0.16.04.1","8u181-b13-0ubuntu0.16.04.1","8u181-b13-1ubuntu0.16.04.1","8u191-b12-0ubuntu0.16.04.1","8u191-b12-2ubuntu0.16.04.1"],"ecosystem_specific":{"binaries":[{"binary_version":"8u212-b03-0ubuntu1.16.04.1","binary_name":"openjdk-8-demo"},{"binary_version":"8u212-b03-0ubuntu1.16.04.1","binary_name":"openjdk-8-jdk"},{"binary_version":"8u212-b03-0ubuntu1.16.04.1","binary_name":"openjdk-8-jdk-headless"},{"binary_version":"8u212-b03-0ubuntu1.16.04.1","binary_name":"openjdk-8-jre"},{"binary_version":"8u212-b03-0ubuntu1.16.04.1","binary_name":"openjdk-8-jre-headless"},{"binary_version":"8u212-b03-0ubuntu1.16.04.1","binary_name":"openjdk-8-jre-jamvm"},{"binary_version":"8u212-b03-0ubuntu1.16.04.1","binary_name":"openjdk-8-jre-zero"},{"binary_version":"8u212-b03-0ubuntu1.16.04.1","binary_name":"openjdk-8-source"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3975-1.json","cves_map":{"ecosystem":"Ubuntu:16.04:LTS","cves":[{"id":"CVE-2019-2602","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2019-2684","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-2697","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-2698","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}},{"package":{"name":"openjdk-lts","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/openjdk-lts@11.0.3+7-1ubuntu2~18.04.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"11.0.3+7-1ubuntu2~18.04.1"}]}],"versions":["9.0.4+12-2ubuntu4","9.0.4+12-4ubuntu1","10~46-4ubuntu1","10~46-5ubuntu1","10.0.1+10-1ubuntu2","10.0.1+10-3ubuntu1","10.0.2+13-1ubuntu0.18.04.1","10.0.2+13-1ubuntu0.18.04.2","10.0.2+13-1ubuntu0.18.04.3","10.0.2+13-1ubuntu0.18.04.4","11.0.2+9-3ubuntu1~18.04.3"],"ecosystem_specific":{"binaries":[{"binary_version":"11.0.3+7-1ubuntu2~18.04.1","binary_name":"openjdk-11-demo"},{"binary_version":"11.0.3+7-1ubuntu2~18.04.1","binary_name":"openjdk-11-jdk"},{"binary_version":"11.0.3+7-1ubuntu2~18.04.1","binary_name":"openjdk-11-jdk-headless"},{"binary_version":"11.0.3+7-1ubuntu2~18.04.1","binary_name":"openjdk-11-jre"},{"binary_version":"11.0.3+7-1ubuntu2~18.04.1","binary_name":"openjdk-11-jre-headless"},{"binary_version":"11.0.3+7-1ubuntu2~18.04.1","binary_name":"openjdk-11-jre-zero"},{"binary_version":"11.0.3+7-1ubuntu2~18.04.1","binary_name":"openjdk-11-source"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3975-1.json","cves_map":{"ecosystem":"Ubuntu:18.04:LTS","cves":[{"id":"CVE-2019-2602","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2019-2684","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}}],"schema_version":"1.7.3"}