Vulnerability identifier: #VU60083
Vulnerability risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-284
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
OpenJ9
Server applications /
Virtualization software
Vendor: Eclipse
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. The JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods. A remote attacker can send a request to a non-public method and gain unauthorized access to the application.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
OpenJ9: 0.0M1 - 0.29.0-m2
External links
http://github.com/eclipse-openj9/openj9/pull/13740
http://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/104
http://bugs.eclipse.org/bugs/show_bug.cgi?id=576395
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.