Alpine: multiple openjdk8 packages: security update to 8.272.10-r0

high Tenable Self-Hosted Container Security Plugin ID 405972

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported
versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to
exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other
than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or
delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to
a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of
Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java
applets. It can also be exploited by supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
(CVE-2020-14792)

- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported
versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to
exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as
unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client
and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as
through a web service. (CVE-2020-14556)

- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported
versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251.
Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to
compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized
read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server
deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and
sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component
without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web
service. (CVE-2020-14577)

- Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported
versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to
cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and
server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as
through a web service. (CVE-2020-14578, CVE-2020-14579)

See Also

https://security.alpinelinux.org/vuln/CVE-2020-14556

https://security.alpinelinux.org/vuln/CVE-2020-14577

https://security.alpinelinux.org/vuln/CVE-2020-14578

https://security.alpinelinux.org/vuln/CVE-2020-14579

https://security.alpinelinux.org/vuln/CVE-2020-14581

https://security.alpinelinux.org/vuln/CVE-2020-14583

https://security.alpinelinux.org/vuln/CVE-2020-14593

https://security.alpinelinux.org/vuln/CVE-2020-14621

https://security.alpinelinux.org/vuln/CVE-2020-14779

https://security.alpinelinux.org/vuln/CVE-2020-14781

https://security.alpinelinux.org/vuln/CVE-2020-14782

https://security.alpinelinux.org/vuln/CVE-2020-14792

https://security.alpinelinux.org/vuln/CVE-2020-14796

https://security.alpinelinux.org/vuln/CVE-2020-14797

https://security.alpinelinux.org/vuln/CVE-2020-14798

https://security.alpinelinux.org/vuln/CVE-2020-14803

Plugin Details

Severity: High

ID: 405972

Version: Revision 1.37

Type: Local

Published: 10/31/2023

Updated: 12/4/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2020-14792

CVSS v3

Risk Factor: High

Base Score: 8.3

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-14583

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 7/14/2020

Reference Information

CVE: CVE-2020-14556, CVE-2020-14577, CVE-2020-14578, CVE-2020-14579, CVE-2020-14581, CVE-2020-14583, CVE-2020-14593, CVE-2020-14621, CVE-2020-14779, CVE-2020-14781, CVE-2020-14782, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798, CVE-2020-14803