CVE-2019-2996: Medium severity ibm engineering requirements quality assistant vulnerability

Published Oct 15, 2019
·
Updated

An unspecified vulnerability in Java SE related to the Deployment component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.

Other sources

Oracle Java SE 8u221 fixes an unspecified vulnerability in the Deployment component (CVE-2019-2996). Upstream has CVSS scored this issue as: 4.2/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

External Reference:

https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA

Red Hat

Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Deployment). The supported version that is affected is Java SE: 8u221; Java SE Embedded: 8u221. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 4.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N).

Affected Software

23 affected componentsFixes available
redhat/java<1.8.0-ibm-1:1.8.0.6.0-1jpp.1.el6_10
1.8.0-ibm-1:1.8.0.6.0-1jpp.1.el6_10
redhat/java<1.8.0-ibm-1:1.8.0.6.0-1jpp.1.el7
1.8.0-ibm-1:1.8.0.6.0-1jpp.1.el7
redhat/java<1.8.0-ibm-1:1.8.0.6.0-3.el8_1
1.8.0-ibm-1:1.8.0.6.0-3.el8_1
IBM Engineering Requirements Quality Assistant On-Premises<=All
Oracle JDK=1.8.0-update221
Oracle JRE=1.8.0-update221
NetApp E-Series SANtricity OS Controller>=11.0.0<=11.50.2
NetApp E-series Santricity Storage Manager
NetApp E-series Santricity Unified Manager
NetApp E-series Santricity Web Services Proxy
NetApp OnCommand Workflow Automation
NetApp Snapmanager Oracle
NetApp Snapmanager Sap
redhat Satellite=5.8
redhat Enterprise Linux=8.0
redhat Enterprise Linux Desktop=6.0
redhat Enterprise Linux Desktop=7.0
redhat Enterprise Linux Eus=8.1
redhat Enterprise Linux Eus=8.6
redhat Enterprise Linux Server=6.0
redhat Enterprise Linux Server=7.0
redhat Enterprise Linux Workstation=6.0
redhat Enterprise Linux Workstation=7.0

Remediation

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Patch Available

https://access.redhat.com/errata/RHSA-2019:4113

Patch Available

https://access.redhat.com/errata/RHSA-2019:4115

Patch Available

https://access.redhat.com/errata/RHSA-2020:0006

Patch Available

https://access.redhat.com/errata/RHSA-2020:0046

Event History

Oct 15, 2019
CVE Published
12:00 AM
Oct 16, 2019
CVE Published
via MITRE·05:40 PM
Data Sourced
via MITRE·05:40 PM
DescriptionWeakness
Dec 2, 2019
Data Sourced
via Red Hat·09:35 PM
DescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2019-2996?

CVE-2019-2996 is a vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE that allows an unauthenticated attacker with network access to compromise the Java SE Deployment component.

2

How severe is CVE-2019-2996?

CVE-2019-2996 has a severity level of medium (4) according to the Common Vulnerability Scoring System (CVSS).

3

What software versions are affected by CVE-2019-2996?

The affected software versions are Java SE 8u221 and Java SE Embedded 8u221.

4

How can I fix CVE-2019-2996?

To fix CVE-2019-2996, update your Java SE or Java SE Embedded to version 8u221.

5

Where can I find more information about CVE-2019-2996?

You can find more information about CVE-2019-2996 on the following references: [https://access.redhat.com/security/cve/CVE-2019-2996](https://access.redhat.com/security/cve/CVE-2019-2996), [https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA](https://www.oracle.com/security-alerts/cpuoct2019.html#AppendixJAVA), [https://access.redhat.com/errata/RHSA-2019:4113](https://access.redhat.com/errata/RHSA-2019:4113)

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203