#VU68844 Type Confusion in OpenJ9 - CVE-2022-3676


Vulnerability identifier: #VU68844

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-3676

CWE-ID: CWE-843

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenJ9
Server applications / Virtualization software

Vendor: Eclipse

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to a type confusion error. A remote attacker can pass specially crafted data to the application, trigger a type confusion error and access or modify memory.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenJ9: 0.0M1 - 0.35.0-m2

External links
https://github.com/eclipse/omr/pull/6773
https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/389
https://github.com/eclipse-openj9/openj9/pull/16122

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Type confusion in IBM watsonx.data
Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management
Type confusion in IBM Tivoli Netcool/OMNIbus
Multiple vulnerabilities in IBM QRadar SIEM
Multiple vulnerabilities in IBM Application Performance Management products
Type confusion in IBM Intelligent Operations Center (IOC)
Multiple vulnerabilities in IBM Rational Synergy
Multiple vulnerabilities in IBM Cloud Transformation Advisor
Multiple vunerabilities in IBM Cloud Pak System
Multiple vulnerabilities in IBM App Connect Enterprise and IBM Integration Bus