Home

CVE-2019-11772

Description

In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.

Risk Information

Base Score
9.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.871

Associated Vulnerability

VulnerabilityOS Platform
SUSE-SU-2019:2371-1(SUSE Linux Enterprise Server 12-SP4 ) java-1_8_0-ibm-1.8.0_sr5.40-30.54.1.x86_64.rpmLinux
SUSE-SU-2019:2371-1(SUSE Linux Enterprise Server 12-SP4 ) java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54.1.x86_64.rpmLinux
SUSE-SU-2019:2371-1(SUSE Linux Enterprise Server 12-SP4 ) java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54.1.x86_64.rpmLinux
(RHSA-2019:2585) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.40-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2019:2585) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.40-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2019:2585) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.40-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2019:2585) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.40-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2019:2585) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.40-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2019:2585) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.40-1jpp.1.el7.x86_64.rpmLinux
(RHSA-2019:2590) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.40-3.el8_0.x86_64.rpmLinux
(RHSA-2019:2590) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.40-3.el8_0.x86_64.rpmLinux
(RHSA-2019:2590) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.40-3.el8_0.x86_64.rpmLinux
(RHSA-2019:2590) java-1.8.0-ibm security update java-1.8.0-ibm-headless-1.8.0.5.40-3.el8_0.x86_64.rpmLinux
(RHSA-2019:2590) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.40-3.el8_0.x86_64.rpmLinux
(RHSA-2019:2590) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.40-3.el8_0.x86_64.rpmLinux
(RHSA-2019:2590) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.40-3.el8_0.x86_64.rpmLinux
(RHSA-2019:2590) java-1.8.0-ibm security update java-1.8.0-ibm-webstart-1.8.0.5.40-3.el8_0.x86_64.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.40-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.40-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-demo-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.40-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-devel-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.40-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-jdbc-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.40-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-plugin-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.40-1jpp.1.el6_10.i686.rpmLinux
(RHSA-2019:2592) java-1.8.0-ibm security update java-1.8.0-ibm-src-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpmLinux
SUSE-SU-2019:2371-1(SUSE Linux Enterprise Server 12-SP5) java-1_8_0-ibm-1.8.0_sr5.40-30.54.1.x86_64_12_SP5.rpmLinux
SUSE-SU-2019:2371-1(SUSE Linux Enterprise Server 12-SP5) java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54.1.x86_64_12_SP5.rpmLinux
SUSE-SU-2019:2371-1(SUSE Linux Enterprise Server 12-SP5) java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54.1.x86_64_12_SP5.rpmLinux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234