Lucene search

IBMCB84EB77F9842BAFB963D694AF643C22EDC5488B1488624E1E6323E3B6BF0BA6

HistorySep 14, 2022 - 1:29 p.m.

Security Bulletin: CVE-2021-41041 may affect IBM® SDK, Java™ Technology Edition

2022-09-1413:29:17

www.ibm.com

cve-2021-41041

eclipse openj9

ibm sdk. java technology edition

remote attacker

security restrictions

bytecode verification

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

33.5%

JSON

Summary

CVE-2021-41041 was addressed in Eclipse OpenJ9 version 0.32

Vulnerability Details

CVEID:CVE-2021-41041
**DESCRIPTION:**Eclipse Openj9 could allow a remote attacker to bypass security restrictions, caused by failing to throw the exception captured during bytecode verification when verification. By sending a specially-crafted request, an attacker could exploit this vulnerability to make unverified methods to be invoked using MethodHandles.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225398 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

8.0.0.0 - 8.0.7.6

Note: CVE-2021-41041 is not applicable to IBM SDK, Java Technology Edition on Solaris, HP-UX and Mac OS.

Remediation/Fixes

8.0.7.10

IBM SDK, Java Technology Edition releases can be downloaded, subject to the terms of the developerWorks license, from the Java Developer Center.

IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.