Lucene search

IBM67A7914671DE5CFC0C2232FB0ABCE8FBD08766D99E895C2A4D294E1CD2A37C7E

HistoryOct 27, 2022 - 4:44 p.m.

Security Bulletin: CVE-2021-28167 may affect IBM® SDK, Java™ Technology Edition

2022-10-2716:44:49

www.ibm.com

eclipse openj9

remote attacker

security restrictions

constantpool api

cvss

affected products

ibm sdk

java technology edition

remediation

ibm support

6.4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

43.7%

JSON

Summary

CVE-2021-28167 was addressed in Eclipse OpenJ9 version 0.26

Vulnerability Details

CVEID:CVE-2021-28167
**DESCRIPTION:**Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by a flaw in the jdk.internal.reflect.ConstantPool API. By sending a specially-crafted request, an attacker could exploit this vulnerability to call static methods or access static members without running the class initialization method.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200533 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

8.0.0.0 - 8.0.6.30

Note: CVE-2021-41041 is not applicable to IBM SDK, Java Technology Edition on Solaris, HP-UX and Mac OS.

Remediation/Fixes

8.0.6.31

IBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from the Java Developer Center.

IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.