CVE-2024-3933

Name of the Vulnerable Software and Affected Versions Eclipse OpenJ9 versions 0.13.0 through 0.43.0

Description The issue occurs when running Eclipse OpenJ9 with the JVM option -Xgc:concurrentScavenge on the IBM Z platform, which has hardware and software support for guarded storage. This allows access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. As a result, it is possible to read and write to addresses beyond the end of the array range.

Recommendations For Eclipse OpenJ9 versions 0.13.0 through 0.43.0, update to version 0.44.0 or later to resolve the issue. As a temporary workaround, consider disabling the -Xgc:concurrentScavenge JVM option until a patch is available. Restrict access to the System.arrayCopy function to minimize the risk of exploitation. Avoid using overlapping source and destination memory regions for arraycopy until the issue is resolved.