CVE-2020-14798: Oracle OpenJDK Auth Bypass Vulnerability

CVE-2020-14798 Overview

CVE-2020-14798 is a vulnerability in the Libraries component of Oracle Java SE and Java SE Embedded. Affected versions include Java SE 7u271, 8u261, 11.0.8, and 15, as well as Java SE Embedded 8u261. The flaw also impacts downstream distributions including Oracle OpenJDK, OpenJDK builds in Debian and openSUSE Leap, and multiple NetApp products that bundle Java runtimes. An unauthenticated network-based attacker can exploit the issue, but successful attacks require user interaction and high attack complexity. Successful exploitation can result in unauthorized update, insert, or delete access to a subset of Java SE data.

Critical Impact

The vulnerability targets sandboxed Java Web Start applications and sandboxed Java applets that load untrusted code. It does not affect server-side Java deployments that run only trusted code installed by an administrator.

Affected Products

• Oracle Java SE 7u271, 8u261, 11.0.8, 15 and Java SE Embedded 8u261
• Oracle OpenJDK, JDK, and JRE distributions across versions 7, 8, 11, 13, and 15
• NetApp products including active_iq_unified_manager, oncommand_insight, e-series_santricity_os_controller, snapmanager, solidfire, and hci_management_node
• Debian Linux 9, Debian Linux 10, and openSUSE Leap 15.2

Discovery Timeline

• 2020-10-21 - CVE-2020-14798 published to NVD as part of the Oracle October 2020 Critical Patch Update
• 2025-05-27 - Last updated in NVD database

Technical Details for CVE-2020-14798

Vulnerability Analysis

The defect resides in the Libraries component of Oracle Java SE. According to Oracle, exploitation is limited to integrity impact — an attacker can perform unauthorized update, insert, or delete operations against a constrained set of Java SE-accessible data. Confidentiality and availability are not affected. The vulnerability requires the attacker to lure a user into executing untrusted Java content through Java Web Start or a Java applet that depends on the Java sandbox for isolation. Because the issue affects multiple major JDK release trains, organizations that ship Java with appliances and management tools inherit the exposure through bundled runtimes.

Root Cause

Oracle has not published implementation-level details for the Libraries defect, and the NVD entry classifies the weakness as NVD-CWE-noinfo. The behavior described by Oracle is consistent with a sandbox boundary weakness in a library API that permits a sandboxed applet or Web Start application to influence data outside its intended scope. Refer to the Oracle Critical Patch Update for the authoritative scope statement.

Attack Vector

Exploitation requires a victim to load attacker-controlled Java content over the network using Java Web Start or an applet host. The attacker delivers untrusted Java bytecode through a malicious page or document. The user must interact with the content, typically by accepting a security prompt or running a .jnlp file. Once executed, the malicious code abuses the affected Libraries API to modify data the sandbox should have protected. The attack complexity is high because reliable exploitation depends on environmental factors and a cooperating user.

No verified proof-of-concept code is publicly available. Vulnerability mechanics are documented in the Oracle Critical Patch Update advisory and the NetApp Security Advisory.

Detection Methods for CVE-2020-14798

Indicators of Compromise

• Execution of javaws.exe or javaws launching .jnlp files retrieved from untrusted internet origins
• Outbound HTTP/HTTPS connections from the Java runtime (java.exe, java) to non-corporate domains immediately after a browser session
• Creation or modification of files in Java sandbox cache paths such as %APPDATA%\Sun\Java\Deployment\cache or ~/.java/deployment/cache followed by unexpected data writes

Detection Strategies

• Inventory installed JRE and JDK versions across endpoints and servers; flag any host running Java SE 7u271, 8u261, 11.0.8, 15, or earlier
• Monitor process telemetry for javaws and browser plug-in container processes spawning Java with remote .jnlp arguments
• Correlate web proxy logs for downloads of .jnlp, .jar, or signed applet content from low-reputation domains

Monitoring Recommendations

• Alert on Java processes performing unexpected file writes outside user document directories
• Track NetApp management appliances and other bundled-Java products for vendor advisories matching NTAP-20201023-0004
• Log changes to deployment.config and deployment.properties that adjust Java security settings or trusted certificates

How to Mitigate CVE-2020-14798

Immediate Actions Required

• Apply the Oracle October 2020 Critical Patch Update to upgrade Java SE beyond the affected versions
• Patch bundled-Java products using the NetApp Security Advisory NTAP-20201023-0004, Debian DSA-4779, the Debian LTS Security Notice, and openSUSE Security Announcement
• Disable the Java browser plug-in and Java Web Start on systems that do not require them

Patch Information

Oracle released fixes in the October 2020 Critical Patch Update. Refer to the Oracle Critical Patch Update for upgrade matrices. Linux distributions shipped corresponding updates: see the Gentoo GLSA 202101-19, Debian DSA-4779, and openSUSE advisory. NetApp customers should follow product-specific guidance in the NetApp Security Advisory.

Workarounds

• Set the Java security level to High or Very High and remove unused sites from the Exception Site List in the Java Control Panel
• Block execution of .jnlp files at the email gateway and web proxy where Java Web Start is not a business requirement
• Restrict outbound network access from the Java runtime using application allowlisting to prevent retrieval of untrusted code

# Configuration example: disable Java browser plug-in and Web Start via deployment.config
# /etc/.java/deployment/deployment.properties
deployment.webjava.enabled=false
deployment.javaws.enabled=false
deployment.security.level=VERY_HIGH
deployment.expiration.check.enabled=true