CVE-2019-11772

In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.

Published : 2019-07-17 21:15 Updated : 2019-09-02 10:15

7.5
CVSS Score More info
Score 7.5 / 10
7.5
Vendor Product Version URI
Eclipse Openj9 0.8 cpe:/a:eclipse:openj9:0.8
Eclipse Openj9 0.9.0 cpe:/a:eclipse:openj9:0.9.0
Eclipse Openj9 0.10.0 cpe:/a:eclipse:openj9:0.10.0
Eclipse Openj9 0.11.0 cpe:/a:eclipse:openj9:0.11.0
Eclipse Openj9 0.12.0 cpe:/a:eclipse:openj9:0.12.0
Eclipse Openj9 0.12.1 cpe:/a:eclipse:openj9:0.12.1
Eclipse Openj9 0.8.0 cpe:/a:eclipse:openj9:0.8.0:-
Eclipse Openj9 0.8.0 cpe:/a:eclipse:openj9:0.8.0:rc1
Eclipse Openj9 0.8.0 cpe:/a:eclipse:openj9:0.8.0:rc2
Eclipse Openj9 0.9.0 cpe:/a:eclipse:openj9:0.9.0:-
Eclipse Openj9 0.9.0 cpe:/a:eclipse:openj9:0.9.0:rc1
Eclipse Openj9 0.9.0 cpe:/a:eclipse:openj9:0.9.0:rc2
Eclipse Openj9 0.10.0 cpe:/a:eclipse:openj9:0.10.0:-
Eclipse Openj9 0.10.0 cpe:/a:eclipse:openj9:0.10.0:rc1
Eclipse Openj9 0.10.0 cpe:/a:eclipse:openj9:0.10.0:rc2
Eclipse Openj9 0.11.0 cpe:/a:eclipse:openj9:0.11.0:-
Eclipse Openj9 0.11.0 cpe:/a:eclipse:openj9:0.11.0:rc1
Eclipse Openj9 0.11.0 cpe:/a:eclipse:openj9:0.11.0:rc2
Eclipse Openj9 0.12.0 cpe:/a:eclipse:openj9:0.12.0:-
Eclipse Openj9 0.12.0 cpe:/a:eclipse:openj9:0.12.0:milestone1
Eclipse Openj9 0.12.0 cpe:/a:eclipse:openj9:0.12.0:milestone2
Eclipse Openj9 0.12.0 cpe:/a:eclipse:openj9:0.12.0:rc1
Eclipse Openj9 0.12.0 cpe:/a:eclipse:openj9:0.12.0:rc2
Eclipse Openj9 0.13.0 cpe:/a:eclipse:openj9:0.13.0:-
Eclipse Openj9 0.13.0 cpe:/a:eclipse:openj9:0.13.0:milestone1
Eclipse Openj9 0.13.0 cpe:/a:eclipse:openj9:0.13.0:rc1
Eclipse Openj9 0.14.0 cpe:/a:eclipse:openj9:0.14.0:-
Eclipse Openj9 0.14.0 cpe:/a:eclipse:openj9:0.14.0:milestone1
Eclipse Openj9 0.14.0 cpe:/a:eclipse:openj9:0.14.0:rc1
Eclipse Openj9 0.14.1 cpe:/a:eclipse:openj9:0.14.1
Eclipse Openj9 0.14.2 cpe:/a:eclipse:openj9:0.14.2
Eclipse Openj9 0.14.3 cpe:/a:eclipse:openj9:0.14.3
  1. Eclipse (1) Search CVE
    1. Openj9 (12) Search CVE
      1. 0.8
      2. 0.9.0
      3. 0.10.0
      4. 0.11.0
      5. 0.12.0
      6. 0.12.1
      7. 0.8.0
      8. 0.13.0
      9. 0.14.0
      10. 0.14.1
      11. 0.14.2
      12. 0.14.3

CWE

ID Name Description Links
CWE-787 Out-of-bounds Write The software writes data past the end, or before the beginning, of the intended buffer. CVE

History of changes

Date Event
2019-09-02 10:15
2019-07-24 17:01
2019-07-17 21:15

New CVE