Improper access control in Eclipse Openj9



Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-41035
CWE-ID CWE-284
Exploitation vector Network
Public exploit N/A
Vulnerable software
 OpenJ9
Server applications / Virtualization software

Vendor Eclipse

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Improper access control

EUVDB-ID: #VU60083

Risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-41035

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. The JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. A remote attacker can send a request to a non-public method and gain unauthorized access to the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

OpenJ9: 0.0 - 0.29.0-m2

CPE2.3 External links

https://github.com/eclipse-openj9/openj9/pull/13740
https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/104
https://bugs.eclipse.org/bugs/show_bug.cgi?id=576395


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###