CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5676 – Eclipse OpenJ9 possible infinite busy hang
https://notcve.org/view.php?id=CVE-2023-5676
In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. En Eclipse OpenJ9 anterior a la versión 0.41.0, la JVM puede verse forzada a un bloqueo de ocupación infinita en un bloqueo de giro o una falla de segmentación si se recibe una señal de apagado (SIGTERM, SIGINT o SIGHUP) antes de que la JVM haya terminado de inicializarse. Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault. • https://github.com/eclipse-openj9/openj9/pull/18085 https://gitlab.eclipse.org/security/cve-assignement/-/issues/13 https://access.redhat.com/security/cve/CVE-2023-5676 https://bugzilla.redhat.com/show_bug.cgi?id=2250255 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-2597
https://notcve.org/view.php?id=CVE-2023-2597
In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer. • https://github.com/eclipse-openj9/openj9/pull/17259 https://security.netapp.com/advisory/ntap-20240621-0006 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-125: Out-of-bounds Read •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3676
https://notcve.org/view.php?id=CVE-2022-3676
In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type. En Eclipse Openj9 versiones anteriores a 0.35.0, las llamadas a interfaces pueden ser inlineadas sin una comprobación de tipo en tiempo de ejecución. El código de bytes malicioso podría hacer uso de este inlining para acceder o modificar la memoria por medio de un tipo no compatible • https://github.com/eclipse-openj9/openj9/pull/16122 https://github.com/eclipse/omr/pull/6773 https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/389 • CWE-20: Improper Input Validation CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2021-41041 – java-11-openj9,java-1_8_0-openj9: unverified methods can be invoked using MethodHandles
https://notcve.org/view.php?id=CVE-2021-41041
In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. En Eclipse Openj9 versiones anteriores a 0.32.0, Java 8 y 11 no lanzan la excepción capturada durante la verificación del código de bytes cuando la verificación es desencadenada por una invocación de MethodHandle, permitiendo invocar métodos no verificados mediante MethodHandles • https://bugs.eclipse.org/bugs/show_bug.cgi?id=579744 https://github.com/eclipse-openj9/openj9/pull/14935 https://access.redhat.com/security/cve/CVE-2021-41041 https://bugzilla.redhat.com/show_bug.cgi?id=2080954 • CWE-252: Unchecked Return Value CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') CWE-908: Use of Uninitialized Resource •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41035 – JDK: IllegalAccessError exception not thrown for MethodHandles that invoke inaccessible interface methods
https://notcve.org/view.php?id=CVE-2021-41035
In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. En Eclipse Openj9 versiones anteriores 0.29.0, la JVM no lanza IllegalAccessError para MethodHandles que invocan métodos de interfaz inaccesibles • https://bugs.eclipse.org/bugs/show_bug.cgi?id=576395 https://github.com/eclipse-openj9/openj9/pull/13740 https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/104 https://security.netapp.com/advisory/ntap-20240621-0006 https://access.redhat.com/security/cve/CVE-2021-41035 https://bugzilla.redhat.com/show_bug.cgi?id=2027791 • CWE-250: Execution with Unnecessary Privileges CWE-440: Expected Behavior Violation CWE-732: Incorrect Permission Assignment for Critical Resource •