CVE-2018-1517

Name of the Vulnerable Software and Affected Versions IBM SDK, Java Technology Edition versions 6.0 through 8.0 Eclipse OpenJ9 (affected versions not specified)

Description A flaw in the java.math component may allow an attacker to inflict a denial-of-service attack with specially crafted String data. Additionally, Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system due to the failure to restrict the use of Java Attach API. This could enable an attacker to execute untrusted native code and gain elevated privileges on the system.

Recommendations For IBM SDK, Java Technology Edition versions 6.0 through 8.0, update to a version that includes the fix for the java.math component flaw. For Eclipse OpenJ9, restrict the use of Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and limit Attach API operations to only the process owner. As a temporary workaround, consider disabling the Java Attach API until a patch is available.