CVE-2021-28167

Name of the Vulnerable Software and Affected Versions: Eclipse Openj9 versions prior to 0.25.0

Description: The issue arises from the usage of the jdk.internal.reflect.ConstantPool API, which in some cases causes the JVM to pre-resolve certain constant pool entries. This allows a user to call static methods or access static members without running the class initialization method, potentially enabling the observation of uninitialized values.

Recommendations: For Eclipse Openj9 versions prior to 0.25.0, consider avoiding the use of the jdk.internal.reflect.ConstantPool API until a patch is available. As a temporary workaround, restrict access to static methods and members to minimize the risk of exploitation.