#VU44142 Type Confusion in OpenJ9 - CVE-2019-17639


Vulnerability identifier: #VU44142

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2019-17639

CWE-ID: CWE-843

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenJ9
Server applications / Virtualization software

Vendor: Eclipse

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error on Power platforms. A remote attacker can call the System.arraycopy method with a length longer than the length of the source or destination array and cause the current method to return prematurely with an undefined return value. As a result, a remote attacker can influence application flow and execute arbitrary code on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenJ9: 0.0M1 - 0.21.0-m2

External links
https://bugs.eclipse.org/bugs/show_bug.cgi?id=563998

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vunerabilities in IBM Cloud Pak System
Multiple vulnerabilities in IBM CICS TX on Cloud
IBM Cloud Application Business Insights update for IBM SDK Java
IBM Tivoli Monitoring update for IBM Java SDK
Red Hat Enterprise Linux 7 Supplementary update for java-1.8.0-ibm
IBM VIOS update for Java SDK
IBM AIX update for Java SDK
Multiple vulnerabilities in IBM Cloud Transformation Advisor
Red Hat Enterprise Linux 8 update for java-1.8.0-ibm
Red Hat Enterprise Linux 6 Supplementary update for java-1.7.1-ibm