Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-3933

In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence generated for System.arrayCopy on the IBM Z platform with hardware and software support for guarded storage [1], could allow access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. This allows read and write to addresses beyond the end of the array range.

Published

2024-05-27T06:15:09.367

Last Modified

2025-01-09T18:00:53.140

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-125
CWE-787
CWE-805
Type: Primary
CWE-125
CWE-787

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	eclipse	openj9	< 0.44.0	Yes

References

https://github.com/eclipse/omr/pull/7275 Issue Tracking, Patch ([email protected])
https://gitlab.eclipse.org/security/cve-assignement/-/issues/21 Issue Tracking, Vendor Advisory ([email protected])
https://github.com/eclipse/omr/pull/7275 Issue Tracking, Patch (af854a3a-2127-422b-91ae-364da2661108)
https://gitlab.eclipse.org/security/cve-assignement/-/issues/21 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)