CVE-2018-12549

Name of the Vulnerable Software and Affected Versions Eclipse OpenJ9 version 0.11.0 libjpeg (affected versions not specified)

Description The issue is related to insufficient input validation in the OpenJ9 JIT compiler component of the Eclipse OpenJ9 virtual machine. This can be exploited by a remote attacker to execute arbitrary code. Additionally, there is a problem with the OpenJ9 JIT compiler incorrectly omitting a null check on the receiver object of an Unsafe call when accelerating it. Furthermore, libjpeg is vulnerable to a denial of service caused by a divide-by-zero error in the alloc sarray function in jmemmgr.c, which can be exploited by a remote attacker to cause the application to crash by persuading a victim to open a specially-crafted file.

Recommendations For Eclipse OpenJ9 version 0.11.0, consider disabling the JIT compiler as a temporary workaround until a patch is available. For libjpeg, avoid using the alloc sarray function in jmemmgr.c until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.