CVE-2019-11772

Name of the Vulnerable Software and Affected Versions Eclipse OpenJ9 versions prior to 0.15

Description The issue is related to the String.getBytes(int, int, byte[], int) method in Eclipse OpenJ9, which does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager. The vulnerability is also associated with a buffer overflow, which could allow a remote attacker to execute arbitrary code.

Recommendations For Eclipse OpenJ9 versions prior to 0.15, update to version 0.15 or later to resolve the issue. As a temporary workaround, consider restricting the use of the String.getBytes(int, int, byte[], int) method until a patch is available. Additionally, ensure that all code run under a SecurityManager is thoroughly reviewed and validated to prevent potential exploitation.