CVE-2019-11771
https://notcve.org/view.php?id=CVE-2019-11771
AIX builds of Eclipse OpenJ9 before 0.15.0 contain unused RPATHs which may facilitate code injection and privilege elevation by local users. Las compilaciones de AIX de OpenJ9 anterior a versión 0.15.0 de Eclipse, contienen RPATHs no utilizados que pueden facilitar la inyección de código y la elevación de privilegios por parte de los usuarios locales. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=548055 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2019-10245 – JDK: Read beyond the end of bytecode array causing JVM crash
https://notcve.org/view.php?id=CVE-2019-10245
In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detects this case and rejects the attempted class load. En Eclipse OpenJ9, en versiones anteriores a 0.14.0, el verificador bytecode de Java permite incorrectamente que un método se ejecute más allá del final de la matriz de código de bytes causando cierres inesperados. Eclipse OpenJ9 versión 0.14.0 detecta correctamente este caso y rechaza la carga de clase intentada • http://www.securityfocus.com/bid/108094 https://access.redhat.com/errata/RHSA-2019:1163 https://access.redhat.com/errata/RHSA-2019:1164 https://access.redhat.com/errata/RHSA-2019:1165 https://access.redhat.com/errata/RHSA-2019:1166 https://access.redhat.com/errata/RHSA-2019:1238 https://access.redhat.com/errata/RHSA-2019:1325 https://bugs.eclipse.org/bugs/show_bug.cgi?id=545588 https://access.redhat.com/security/cve/CVE-2019-10245 https://bugzilla.redhat.com/show_ • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVE-2018-12549 – JDK: missing null check when accelerating Unsafe calls
https://notcve.org/view.php?id=CVE-2018-12549
In Eclipse OpenJ9 version 0.11.0, the OpenJ9 JIT compiler may incorrectly omit a null check on the receiver object of an Unsafe call when accelerating it. En Eclipse OpenJ9 0.11.0, el compilador JIT de OpenJ9 podría omitir incorrectamente una comprobación nula en el objeto recibidor de una llamada no segura al acelerarla. • https://access.redhat.com/errata/RHSA-2019:0469 https://access.redhat.com/errata/RHSA-2019:0472 https://access.redhat.com/errata/RHSA-2019:0640 https://access.redhat.com/errata/RHSA-2019:1238 https://bugs.eclipse.org/bugs/show_bug.cgi?id=544019 https://access.redhat.com/security/cve/CVE-2018-12549 https://bugzilla.redhat.com/show_bug.cgi?id=1685717 • CWE-20: Improper Input Validation CWE-111: Direct Use of Unsafe JNI •
CVE-2018-12547 – JDK: buffer overflow in jio_snprintf() and jio_vsnprintf()
https://notcve.org/view.php?id=CVE-2018-12547
In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code. En Eclipse OpenJ9, en versiones anteriores a la 0.12.0, los métodos nativos jio_snprintf() y jio_vsnprintf() ignoraban el parámetro length. Esto afecta a las API existentes que llamaban a las funciones para sobrepasar el búfer asignado. • https://access.redhat.com/errata/RHSA-2019:0469 https://access.redhat.com/errata/RHSA-2019:0472 https://access.redhat.com/errata/RHSA-2019:0473 https://access.redhat.com/errata/RHSA-2019:0474 https://access.redhat.com/errata/RHSA-2019:0640 https://access.redhat.com/errata/RHSA-2019:1238 https://bugs.eclipse.org/bugs/show_bug.cgi?id=543659 https://access.redhat.com/security/cve/CVE-2018-12547 https://bugzilla.redhat.com/show_bug.cgi?id=1685611 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2018-12548
https://notcve.org/view.php?id=CVE-2018-12548
In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public jdk.crypto.jniprovider.NativeCrypto class contains public static natives which accept pointer values that are dereferenced in the native code. En OpenJDK + Eclipse OpenJ9 en versiones con build 0.11.0, la clase pública jdk.crypto.jniprovider.NativeCrypto contiene nativos de estado públicos que aceptan valores de puntero que se desreferencian en el código nativo. • https://bugs.eclipse.org/bugs/show_bug.cgi?id=543792 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-822: Untrusted Pointer Dereference •