CVE-2022-31139

Name of the Vulnerable Software and Affected Versions UnsafeAccessor versions 1.4.0 through 1.6.x

Description The issue concerns UnsafeAccessor (UA), a bridge to access jdk.internal.misc.Unsafe and sun.misc.Unsafe. Normally, when UA is loaded as a named module, its internal data is protected by the JVM, and access is limited to UA's standard API. The main application can set up SecurityCheck.AccessLimiter for UA to limit access. However, in affected versions, when SecurityCheck.AccessLimiter is set up, untrusted code can access UA without limitation, even when UA is loaded as a named module. This issue does not affect those for whom SecurityCheck.AccessLimiter is not set up.

Recommendations For versions 1.4.0 through 1.6.x, update to version 1.7.0 to resolve the issue. As a temporary workaround, consider not setting up SecurityCheck.AccessLimiter for UA until a patch is applied. Restrict access to UA to minimize the risk of exploitation.