CVE-2019-17635

Name of the Vulnerable Software and Affected Versions Eclipse Memory Analyzer versions 1.9.1 and earlier

Description The issue concerns a deserialization vulnerability. It can occur if an index file of a parsed heap dump is replaced with a malicious version and the heap dump is reopened in Memory Analyzer. The user must choose to reopen an already parsed heap dump with an untrusted index for the problem to occur. Additionally, some local configuration data is subject to a deserialization vulnerability if the local data were to be replaced with a malicious version. This can be averted if the local configuration data stored on the file system cannot be changed by an attacker. The vulnerability could possibly allow code execution on the local system.

Recommendations For Eclipse Memory Analyzer versions 1.9.1 and earlier, to avert the problem, delete index files from untrusted sources and open and reparse the heap dump. Ensure local configuration data stored on the file system cannot be changed by an attacker.