Vulnerabilities > CVE-2024-3933 - Out-of-bounds Write vulnerability in Eclipse Openj9

CVSS 7.3 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

LOW

local

low complexity

eclipse

CWE-787

NVD

Published: 2024-05-27

Updated: 2025-01-09

Summary

In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence generated for System.arrayCopy on the IBM Z platform with hardware and software support for guarded storage [1], could allow access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. This allows read and write to addresses beyond the end of the array range.

Vulnerable Configurations

Part	Description	Count
Application	Eclipse Eclipse Openj9 0.13.0 Eclipse Openj9 0.14.0 Eclipse Openj9 0.14.1 Eclipse Openj9 0.14.2 Eclipse Openj9 0.14.3 Eclipse Openj9 0.15.0 Eclipse Openj9 0.15.1 Eclipse Openj9 0.16.0 Eclipse Openj9 0.17.0 Eclipse Openj9 0.18.0 Eclipse Openj9 0.18.1 Eclipse Openj9 0.19.0 Eclipse Openj9 0.20.0 Eclipse Openj9 0.21.0 Eclipse Openj9 0.22.0 Eclipse Openj9 0.23.0 Eclipse Openj9 0.24.0 Eclipse Openj9 0.25.0 Eclipse Openj9 0.26.0 Eclipse Openj9 0.27.0 Eclipse Openj9 0.27.1 Eclipse Openj9 0.28.0 Eclipse Openj9 0.29.0 Eclipse Openj9 0.29.1 Eclipse Openj9 0.30.0 Eclipse Openj9 0.30.1 Eclipse Openj9 0.31.0 Eclipse Openj9 0.32.0 Eclipse Openj9 0.33.0 Eclipse Openj9 0.33.1 Eclipse Openj9 0.35.0 Eclipse Openj9 0.36.0 Eclipse Openj9 0.36.1 Eclipse Openj9 0.37.0 Eclipse Openj9 0.38.0 Eclipse Openj9 0.39.0 Eclipse Openj9 0.40.0 Eclipse Openj9 0.41.0	98

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References