CVE-2021-41041 - OpenCVE

In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Eclipse	Openj9
Oracle	Java Se

Configuration 1 [-]

cpe:2.3:a:eclipse:openj9:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:oracle:java_se:8:::::::*
	cpe:2.3:a:oracle:java_se:11:::::::*

References

Link	Resource
https://bugs.eclipse.org/bugs/show_bug.cgi?id=579744	Issue Tracking Third Party Advisory
https://github.com/eclipse-openj9/openj9/pull/14935	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: eclipse

Published: 2022-04-27T02:10:10

Updated: 2022-04-27T02:10:10

Reserved: 2021-09-13T00:00:00

Link: CVE-2021-41041

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-04-27T02:15:38.730

Modified: 2022-05-05T19:10:55.303

Link: CVE-2021-41041

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Eclipse OpenJ9", "vendor": "The Eclipse Foundation", "versions": [{"lessThan": "0.32.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-252", "description": "CWE-252: Unchecked Return Value", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-843", "description": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-908", "description": "CWE-908: Use of Uninitialized Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-04-27T02:10:10", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/eclipse-openj9/openj9/pull/14935"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=579744"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-41041", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Eclipse OpenJ9", "version": {"version_data": [{"version_affected": "<", "version_value": "0.32.0"}]}}]}, "vendor_name": "The Eclipse Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-252: Unchecked Return Value"}]}, {"description": [{"lang": "eng", "value": "CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')"}]}, {"description": [{"lang": "eng", "value": "CWE-908: Use of Uninitialized Resource"}]}]}, "references": {"reference_data": [{"name": "https://github.com/eclipse-openj9/openj9/pull/14935", "refsource": "CONFIRM", "url": "https://github.com/eclipse-openj9/openj9/pull/14935"}, {"name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=579744", "refsource": "CONFIRM", "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=579744"}]}}}}, "cveMetadata": {"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-41041", "datePublished": "2022-04-27T02:10:10", "dateReserved": "2021-09-13T00:00:00", "dateUpdated": "2022-04-27T02:10:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:openj9:*:*:*:*:*:*:*:*", "matchCriteriaId": "92D694D4-DC59-4857-B2D3-CCFE7A2A794E", "versionEndExcluding": "0.32.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:java_se:8:*:*:*:*:*:*:*", "matchCriteriaId": "7D62706F-27A5-4BA7-B073-DCD2137A6063", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:java_se:11:*:*:*:*:*:*:*", "matchCriteriaId": "E34D70BC-EBC8-4728-A8D6-B5A83DB97135", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles."}, {"lang": "es", "value": "En Eclipse Openj9 versiones anteriores a 0.32.0, Java 8 y 11 no lanzan la excepci\u00f3n capturada durante la verificaci\u00f3n del c\u00f3digo de bytes cuando la verificaci\u00f3n es desencadenada por una invocaci\u00f3n de MethodHandle, permitiendo invocar m\u00e9todos no verificados mediante MethodHandles"}], "id": "CVE-2021-41041", "lastModified": "2022-05-05T19:10:55.303", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-04-27T02:15:38.730", "references": [{"source": "emo@eclipse.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=579744"}, {"source": "emo@eclipse.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/eclipse-openj9/openj9/pull/14935"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-252"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-843"}, {"lang": "en", "value": "CWE-908"}], "source": "emo@eclipse.org", "type": "Secondary"}]}