#VU91984 Permissions, Privileges, and Access Controls in OpenJ9 - CVE-2024-3933


Vulnerability identifier: #VU91984

Vulnerability risk: Low

CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-3933

CWE-ID: CWE-264

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
OpenJ9
Server applications / Virtualization software

Vendor: Eclipse

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability occurs when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. A local user can exploit the vulnerability to read and write to addresses beyond the end of the array range.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OpenJ9: 0.14.0-m1 - 0.43.0

External links
https://gitlab.eclipse.org/security/cve-assignement/-/issues/21
https://github.com/eclipse/omr/pull/7275

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


IBM Cloud Application Performance Management update for Eclipse Openj9
Multiple vulnerabilities in IBM Storage Protect Backup-Archive Client
Multiple vulnerabilities in IBM Sterling Transformation Extender
Multiple vulnerabilities in IBM Tivoli Netcool Impact
Multiple vulnerabilities in IBM Tivoli Monitoring for Virtual Environments Base
Multiple vulnerabilities in IBM Db2 Query Management Facility
SUSE update for java-1_8_0-ibm
SUSE update for java-1_8_0-ibm
Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition (ITNM)
Multiple vulnerabilities in IBM Control Center