Vulnerability Details CVE-2018-12547
In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.008
EPSS Ranking 73.8%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://access.redhat.com/errata/RHSA-2019:0469
- https://access.redhat.com/errata/RHSA-2019:0472
- https://access.redhat.com/errata/RHSA-2019:0473
- https://access.redhat.com/errata/RHSA-2019:0474
- https://access.redhat.com/errata/RHSA-2019:0640
- https://access.redhat.com/errata/RHSA-2019:1238
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=543659
- https://access.redhat.com/errata/RHSA-2019:0469
- https://access.redhat.com/errata/RHSA-2019:0472
- https://access.redhat.com/errata/RHSA-2019:0473
- https://access.redhat.com/errata/RHSA-2019:0474
- https://access.redhat.com/errata/RHSA-2019:0640
- https://access.redhat.com/errata/RHSA-2019:1238
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=543659
Products affected by CVE-2018-12547
-
cpe:2.3:a:eclipse:openj9:0.0
-
cpe:2.3:a:eclipse:openj9:0.10.0
-
cpe:2.3:a:eclipse:openj9:0.11.0
-
cpe:2.3:a:eclipse:openj9:0.8
-
cpe:2.3:a:eclipse:openj9:0.8.0
-
cpe:2.3:a:eclipse:openj9:0.9.0
-
cpe:2.3:a:redhat:satellite:5.8
-
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
-
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
-
cpe:2.3:o:redhat:enterprise_linux_server:6.0
-
cpe:2.3:o:redhat:enterprise_linux_server:7.0
-
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
-
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0