Improper access control in Eclipse Openj9
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-41035 |
| CWE-ID | CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
OpenJ9 Server applications / Virtualization software |
| Vendor | Eclipse |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper access control
EUVDB-ID: #VU60083
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-41035
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. The JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. A remote attacker can send a request to a non-public method and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsOpenJ9: 0.0 - 0.29.0-m2a
External linkshttp://github.com/eclipse-openj9/openj9/pull/13740
http://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/104
http://bugs.eclipse.org/bugs/show_bug.cgi?id=576395
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
