{"id":"USN-4083-1","summary":"openjdk-lts vulnerabilities","details":"It was discovered that OpenJDK did not sufficiently validate serial streams\nbefore deserializing suppressed exceptions in some situations. An attacker\ncould use this to specially craft an object that, when deserialized, would\ncause a denial of service. (CVE-2019-2762)\n\nIt was discovered that in some situations OpenJDK did not properly bound\nthe amount of memory allocated during object deserialization. An attacker\ncould use this to specially craft an object that, when deserialized, would\ncause a denial of service (excessive memory consumption). (CVE-2019-2769)\n\nIt was discovered that OpenJDK did not properly restrict privileges in\ncertain situations. An attacker could use this to specially construct an\nuntrusted Java application or applet that could escape sandbox\nrestrictions. (CVE-2019-2786)\n\nJonathan Birch discovered that the Networking component of OpenJDK did not\nproperly validate URLs in some situations. An attacker could use this to\nbypass restrictions on characters in URLs. (CVE-2019-2816)\n\nIt was discovered that the ChaCha20Cipher implementation in OpenJDK did not\nuse constant time computations in some situations. An attacker could use\nthis to expose sensitive information. (CVE-2019-2818)\n\nIt was discovered that the Java Secure Socket Extension (JSSE) component in\nOpenJDK did not properly handle OCSP stapling messages during TLS handshake\nin some situations. An attacker could use this to expose sensitive\ninformation. (CVE-2019-2821)\n\nIt was discovered that OpenJDK incorrectly handled certain memory\noperations. If a user or automated system were tricked into opening a\nspecially crafted PNG file, a remote attacker could use this issue to\ncause OpenJDK to crash, resulting in a denial of service, or possibly\nexecute arbitrary code. (CVE-2019-7317)\n","modified":"2026-04-27T15:32:55.207603745Z","published":"2019-07-31T17:10:35Z","related":["UBUNTU-CVE-2019-2762","UBUNTU-CVE-2019-2769","UBUNTU-CVE-2019-2786","UBUNTU-CVE-2019-2816","UBUNTU-CVE-2019-2818","UBUNTU-CVE-2019-2821","UBUNTU-CVE-2019-7317"],"upstream":["CVE-2019-2762","CVE-2019-2769","CVE-2019-2786","CVE-2019-2816","CVE-2019-2818","CVE-2019-2821","CVE-2019-7317","UBUNTU-CVE-2019-2762","UBUNTU-CVE-2019-2769","UBUNTU-CVE-2019-2786","UBUNTU-CVE-2019-2816","UBUNTU-CVE-2019-2818","UBUNTU-CVE-2019-2821","UBUNTU-CVE-2019-7317"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4083-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2762"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2769"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2786"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2816"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2818"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-2821"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-7317"}],"affected":[{"package":{"name":"openjdk-lts","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/openjdk-lts@11.0.4+11-1ubuntu2~18.04.3?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"11.0.4+11-1ubuntu2~18.04.3"}]}],"versions":["9.0.4+12-2ubuntu4","9.0.4+12-4ubuntu1","10~46-4ubuntu1","10~46-5ubuntu1","10.0.1+10-1ubuntu2","10.0.1+10-3ubuntu1","10.0.2+13-1ubuntu0.18.04.1","10.0.2+13-1ubuntu0.18.04.2","10.0.2+13-1ubuntu0.18.04.3","10.0.2+13-1ubuntu0.18.04.4","11.0.2+9-3ubuntu1~18.04.3","11.0.3+7-1ubuntu2~18.04.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"11.0.4+11-1ubuntu2~18.04.3","binary_name":"openjdk-11-demo"},{"binary_version":"11.0.4+11-1ubuntu2~18.04.3","binary_name":"openjdk-11-jdk"},{"binary_version":"11.0.4+11-1ubuntu2~18.04.3","binary_name":"openjdk-11-jdk-headless"},{"binary_version":"11.0.4+11-1ubuntu2~18.04.3","binary_name":"openjdk-11-jre"},{"binary_version":"11.0.4+11-1ubuntu2~18.04.3","binary_name":"openjdk-11-jre-headless"},{"binary_version":"11.0.4+11-1ubuntu2~18.04.3","binary_name":"openjdk-11-jre-zero"},{"binary_version":"11.0.4+11-1ubuntu2~18.04.3","binary_name":"openjdk-11-source"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:18.04:LTS","cves":[{"id":"CVE-2019-2762","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-2769","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-2786","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-2816","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2019-2818","severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2019-2821","severity":[{"score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"low","type":"Ubuntu"}]},{"id":"CVE-2019-7317","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4083-1.json"}}],"schema_version":"1.7.5"}