Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2020-14621

CVE-2020-14621: Oracle OpenJDK Auth Bypass Vulnerability

CVE-2020-14621 is an authentication bypass vulnerability in Oracle OpenJDK JAXP component that allows unauthorized data modification. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2020-14621 Overview

CVE-2020-14621 is an easily exploitable vulnerability in the Java API for XML Processing (JAXP) component of Oracle Java SE and Java SE Embedded. This vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise affected Java installations. Successful exploitation enables unauthorized update, insert, or delete access to some accessible data within the Java environment.

The vulnerability can only be exploited by supplying data to APIs in the JAXP component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. This makes it particularly relevant for server-side Java applications that process XML data from untrusted sources.

Critical Impact

Unauthenticated attackers can modify, insert, or delete data in Java SE applications via network-accessible XML processing services, potentially compromising data integrity across enterprise Java deployments.

Affected Products

  • Oracle JDK 7u261, 8u251, 11.0.7, and 14.0.1
  • Oracle JRE 7u261, 8u251, 11.0.7, and 14.0.1
  • Oracle Java SE Embedded 8u251
  • Oracle OpenJDK 7, 8, 11, 13, and 14 (various updates)
  • McAfee ePolicy Orchestrator 5.9.x and 5.10.x
  • NetApp products including Active IQ Unified Manager, OnCommand Insight, and E-Series SANtricity
  • Fedora 31 and 32
  • openSUSE Leap 15.1 and 15.2
  • Canonical Ubuntu Linux 16.04, 18.04, and 20.04
  • Debian Linux 9.0 and 10.0

Discovery Timeline

  • July 15, 2020 - CVE-2020-14621 published to NVD
  • May 27, 2025 - Last updated in NVD database

Technical Details for CVE-2020-14621

Vulnerability Analysis

This vulnerability resides in the JAXP (Java API for XML Processing) component, which provides a common interface for parsing and transforming XML documents in Java applications. The flaw allows remote attackers to manipulate data processing through the JAXP APIs without requiring authentication or user interaction.

The attack is network-based and can be executed through multiple protocols, making it accessible to attackers who can reach vulnerable Java services. The vulnerability specifically affects the integrity of data processed by the JAXP component, allowing unauthorized modifications rather than data exfiltration or service disruption.

Root Cause

The root cause stems from improper input validation within the JAXP component when processing XML data supplied through APIs. The component fails to adequately validate or sanitize certain XML inputs, allowing attackers to inject or modify data within the processing context. This is particularly concerning for web services and server-side applications that accept XML input from untrusted network sources.

Attack Vector

The attack vector is network-based and requires no privileges or user interaction. An attacker can exploit this vulnerability by:

  1. Identifying a Java application that exposes JAXP-based XML processing functionality over the network
  2. Crafting malicious XML data designed to exploit the input validation weakness
  3. Submitting the malicious data to the vulnerable API endpoint via supported network protocols
  4. Achieving unauthorized data manipulation within the application's accessible data scope

The vulnerability cannot be exploited through Untrusted Java Web Start applications or Untrusted Java applets, limiting the attack surface to server-side XML processing scenarios such as web services, REST APIs, or SOAP endpoints that utilize JAXP for XML parsing.

Detection Methods for CVE-2020-14621

Indicators of Compromise

  • Unexpected modifications to application data processed through XML services
  • Anomalous XML payloads in web service request logs containing unusual entity declarations or processing instructions
  • Application errors or warnings related to JAXP XML parsing in server logs

Detection Strategies

  • Implement network intrusion detection signatures for malformed or suspicious XML payloads targeting Java web services
  • Monitor Java application logs for JAXP-related parsing errors or unexpected data modifications
  • Deploy web application firewalls (WAF) with XML validation rules to inspect incoming XML traffic
  • Use SentinelOne's behavioral analysis to detect anomalous Java process activity indicative of exploitation attempts

Monitoring Recommendations

  • Enable detailed logging for all XML processing endpoints in Java applications
  • Monitor for unusual network traffic patterns to Java-based web services
  • Implement integrity monitoring on databases and data stores accessed by Java XML processing applications
  • Configure alerting for any Java application crashes or restarts related to XML parsing

How to Mitigate CVE-2020-14621

Immediate Actions Required

  • Update Oracle JDK/JRE to versions released in the July 2020 Critical Patch Update or later
  • Audit all Java applications for network-exposed JAXP XML processing functionality
  • Implement input validation and XML schema validation for all XML inputs from untrusted sources
  • Review and restrict network access to Java web services to trusted sources where possible

Patch Information

Oracle addressed this vulnerability in the July 2020 Critical Patch Update. Organizations should upgrade to patched versions:

  • Java SE 7u271 or later
  • Java SE 8u261 or later
  • Java SE 11.0.8 or later
  • Java SE 14.0.2 or later

Multiple Linux distributions have released security updates including Debian Security Advisory DSA-4734, Ubuntu Security Notices, and Gentoo GLSA 202008-24. NetApp and McAfee have also released advisories for their affected products.

Workarounds

  • Disable or restrict access to XML processing web services until patches can be applied
  • Implement strict XML schema validation to reject unexpected or malformed XML content
  • Use network segmentation to limit exposure of Java web services to untrusted networks
  • Deploy application-layer firewalls with XML content inspection capabilities
bash
# Verify Java version to confirm patched status
java -version

# Example: Check if running vulnerable version (8u251)
# Output should show 8u261 or later for Java 8
# 1.8.0_261 or higher indicates patched version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne