Vulnerability Details : CVE-2019-10245

In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verifier incorrectly allows a method to execute past the end of bytecode array causing crashes. Eclipse OpenJ9 v0.14.0 correctly detects this case and rejects the attempted class load.

Vulnerability category: OverflowInput validation

Published 2019-04-19 14:29:00

Updated 2021-10-28 13:40:45

Source Eclipse Foundation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2019-10245

Probability of exploitation activity in the next 30 days: 2.76%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 89 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-10245

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	[email protected]
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2019-10245

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: [email protected] (Secondary)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Assigned by: [email protected] (Primary)

References for CVE-2019-10245

https://bugs.eclipse.org/bugs/show_bug.cgi?id=545588

Issue Tracking;Patch;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1238

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1166

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1165

Third Party Advisory

CVEs referencing this url
http://www.securityfocus.com/bid/108094

Third Party Advisory;VDB Entry
https://access.redhat.com/errata/RHSA-2019:1325

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1164

Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:1163

Third Party Advisory

CVEs referencing this url

Products affected by CVE-2019-10245

Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 6.0
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Satellite » Version: 5.8
cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*
Matching versions
Eclipse » Openj9
Versions before (<) 0.14.0
cpe:2.3:a:eclipse:openj9:*:*:*:*:*:*:*:*
Matching versions