CVE-2019-17639

Name of the Vulnerable Software and Affected Versions Eclipse OpenJ9 versions prior to 0.21

Description The issue arises when the System.arraycopy method is called with a length that exceeds the length of the source or destination array, potentially causing the method to return prematurely with an undefined value. This can lead to the use of any value present in the return register at that time, as if it matches the method's declared return type. The problem is specifically noted in certain specially crafted code patterns on Power platforms.

Recommendations For Eclipse OpenJ9 versions prior to 0.21, consider avoiding the use of the System.arraycopy method with lengths that could exceed the array bounds until a fixed version is available. As a temporary workaround, implement input validation to ensure that the length passed to System.arraycopy does not exceed the length of the source or destination array. At the moment, there is no information about a newer version that contains a fix for this vulnerability.