Buffer Overflow Vulnerability in Eclipse OpenJ9 Native Methods
CVE-2018-12547

9.8CRITICAL

Key Information:

Vendor

The Eclipse Foundation

Status
Eclipse Openj9
Vendor
CVE Published:
11 February 2019

What is CVE-2018-12547?

In Eclipse OpenJ9 prior to version 0.12.0, the jio_snprintf() and jio_vsnprintf() native methods fail to properly enforce the length parameter. This oversight can lead to existing APIs invoking these functions to exceed their allocated buffer size, potentially resulting in buffer overflow vulnerabilities. Although these functions are not directly callable by non-native user code, their misuse through existing APIs poses a risk to application integrity and security.

Affected Version(s)

Eclipse OpenJ9 < 0.12.0

References

https://access.redhat.com/errata/RHSA-2019:0474
vendor-advisoryx_refsource_REDHAT
https://bugs.eclipse.org/bugs/show_bug.cgi?id=543659
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2019:0469
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.