PT-2018-2769 · Eclipse+3 · Eclipse Openj9+3

Jeff Dileo

Published

2018-05-11

Updated

2019-10-09

CVE-2018-12539

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Eclipse OpenJ9 version 0.8

Description The issue is related to the Java Attach API, which is enabled by default on Windows, Linux, and AIX JVMs. This allows users other than the process owner to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and execute untrusted native code using Attach API operations. The vulnerability may also be related to the recovery of an invalid data structure in memory, potentially allowing an attacker to execute arbitrary code. A local attacker could exploit this to gain elevated privileges on the system.

Recommendations For Eclipse OpenJ9 version 0.8, consider disabling the Java Attach API using the command line option -Dcom.ibm.tools.attach.enable=no as a temporary workaround to minimize the risk of exploitation.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-419CWE-502

Related Identifiers

BDU:2019-01762

CVE-2018-12539

RHSA-2018:2568

RHSA-2018:2569

RHSA-2018:2575

RHSA-2018:2576

RHSA-2018:2712

RHSA-2018:2713

RHSA-2018_2568

RHSA-2018_2569

RHSA-2018_2575

RHSA-2018_2576

SUSE-SU-2018:2574-1

SUSE-SU-2018:2583-1

SUSE-SU-2018:2649-1

SUSE-SU-2018:2649-2

SUSE-SU-2018:2839-1

SUSE-SU-2018:2839-2

SUSE-SU-2018:3082-1

SUSE-SU-2018_2574-1

SUSE-SU-2018_2583-1

SUSE-SU-2018_2649-1

SUSE-SU-2018_2649-2

Affected Products

Eclipse Openj9

Ibm Aix

Red Hat

Suse

PT-2018-2769 · Eclipse+3 · Eclipse Openj9+3

CVE-2018-12539

Weakness Enumeration

Related Identifiers

Affected Products

References · 64