#VU67029 Error Handling in OpenJ9 - CVE-2021-41041


Vulnerability identifier: #VU67029

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-41041

CWE-ID: CWE-388

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenJ9
Server applications / Virtualization software

Vendor: Eclipse

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to Java versions 8 and 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation. A remote attacker can invoke unverified methods using MethodHandles and bypass implemented security restrictions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenJ9: 0.0M1 - 0.32.0-m1a

External links
https://bugs.eclipse.org/bugs/show_bug.cgi?id=579744
https://github.com/eclipse-openj9/openj9/pull/14935

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Common Licensing
Multiple vulnerabilities in IBM Operations Analytics Predictive Insights
Multiple vulnerabilities in IBM Cloud Pak System
Error handling in IBM CICS TX Advanced
Error handling in IBM Tivoli System Automation Application Manager
Error handling in IBM Tivoli Netcool Configuration Manager
IBM Tivoli Application Dependency Discovery Manager update for IBM SDK Java
IBM Tivoli System Automation for Multiplatforms update for Java Eclipse-OpenJ9
IBM Tivoli Monitoring update for IBM Java
Error handling in CICS Transaction Gateway Desktop Edition