CVE-2018-12539 — HIGH (7.8)

Vulnerability Description

In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows, Linux and AIX JVMs and can be disabled using the command line option -Dcom.ibm.tools.attach.enable=no.

CVSS Score

7.8

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Eclipse	Openj9	0.8
Oracle	Enterprise Manager Base Platform	13.2.0.0.0

Related Weaknesses (CWE)

CWE-502 CWE-419

References

http://www.securityfocus.com/bid/105126Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041765Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2568Not ApplicableThird Party Advisory
https://access.redhat.com/errata/RHSA-2018:2569Not ApplicableThird Party Advisory
https://access.redhat.com/errata/RHSA-2018:2575Not ApplicableThird Party Advisory
https://access.redhat.com/errata/RHSA-2018:2576Not ApplicableThird Party Advisory
https://access.redhat.com/errata/RHSA-2018:2712Not ApplicableThird Party Advisory
https://access.redhat.com/errata/RHSA-2018:2713Not ApplicableThird Party Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=534589Issue TrackingThird Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlPatchThird Party Advisory
http://www.securityfocus.com/bid/105126Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041765Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2568Not ApplicableThird Party Advisory
https://access.redhat.com/errata/RHSA-2018:2569Not ApplicableThird Party Advisory
https://access.redhat.com/errata/RHSA-2018:2575Not ApplicableThird Party Advisory

FAQ

What is CVE-2018-12539?

CVE-2018-12539 is a vulnerability with a CVSS score of 7.8 (HIGH). In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which...

How severe is CVE-2018-12539?

CVE-2018-12539 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-12539?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Openj9, Oracle Enterprise Manager Base Platform.