CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
First published: Fri Nov 04 2022(Updated: )
An out-of-bounds (OOB) write flaw was found in Apache Commons BCEL API. This flaw can be used to produce arbitrary bytecode and may abuse applications that pass attacker-controlled data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/bcel | <0:5.2-19.el7_9 | 0:5.2-19.el7_9 |
| redhat/bcel | <0:6.4.1-9.el9_1 | 0:6.4.1-9.el9_1 |
| redhat/bcel | <0:6.4.1-9.el9_0 | 0:6.4.1-9.el9_0 |
| redhat/rh-maven36-bcel | <0:6.3.1-2.3.el7 | 0:6.3.1-2.3.el7 |
| Apache Commons BCEL | <6.6.0 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| Fedoraproject Fedora | =37 | |
| redhat/Apache Commons BCEL | <6.6.0 | 6.6.0 |
| maven/org.apache.bcel:bcel | <6.6.0 | 6.6.0 |
| <6.6.0 | ||
| =35 | ||
| =36 | ||
| =37 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-42920 https://nvd.nist.gov/vuln/detail/CVE-2022-42920 https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
- https://bugzilla.redhat.com/show_bug.cgi?id=2142707
- https://access.redhat.com/errata/RHSA-2023:0470
- https://access.redhat.com/errata/RHSA-2023:0471
- https://access.redhat.com/errata/RHSA-2023:0934
- https://access.redhat.com/errata/RHSA-2022:8958
- https://access.redhat.com/errata/RHSA-2023:0005
- https://access.redhat.com/errata/RHSA-2023:0004
- https://access.redhat.com/errata/RHSA-2023:3954
- https://access.redhat.com/errata/RHSA-2022:8959
- https://access.redhat.com/errata/RHSA-2023:4983
- https://access.redhat.com/security/cve/cve-2022-42920
- https://exchange.xforce.ibmcloud.com/vulnerabilities/239562
- https://www.ibm.com/support/pages/node/6852217 (Advisory)
- http://www.openwall.com/lists/oss-security/2022/11/07/2
- https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LX3HEB4TV2BVCGDTK5BCLSYOZNQTOBN4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QMVX6COVXZVS5GPWDODIRW6Z2GE7RPAQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QAMRHAKGIKZNHRBB4VLYTOIOIMMXCUCD/
- https://security.gentoo.org/glsa/202401-25
- https://nvd.nist.gov/vuln/detail/CVE-2022-42920
- https://github.com/apache/commons-bcel/pull/147
- https://issues.apache.org/jira/browse/BCEL-363
- https://github.com/advisories/GHSA-97xg-phpr-rg8q (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2142727
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2142728
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2142726
- https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5
- https://github.com/apache/commons-bcel/commit/63919b288fe8ec5e9d0dac9e18b4a186acd76d63
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2143514
- https://access.redhat.com/errata/RHSA-2024:3527
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-42920?
CVE-2022-42920 is an out-of-bounds (OOB) write flaw found in Apache Commons BCEL API.
How can CVE-2022-42920 be exploited?
CVE-2022-42920 can be exploited by passing attacker-controllable data to the affected APIs in Apache Commons BCEL.
What is the severity of CVE-2022-42920?
CVE-2022-42920 has a severity rating of 9.8 out of 10, which is classified as critical.
Which software versions are affected by CVE-2022-42920?
Apache Commons BCEL versions up to exclusive 6.6.0, bcel versions up to exclusive 0:5.2-19.el7_9, bcel versions up to exclusive 0:6.4.1-9.el9_1, bcel versions up to exclusive 0:6.4.1-9.el9_0, and rh-maven36-bcel versions up to exclusive 0:6.3.1-2.3.el7 are affected by CVE-2022-42920.
How do I mitigate CVE-2022-42920?
To mitigate CVE-2022-42920, it is recommended to update to Apache Commons BCEL version 6.6.0.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-97xg-phpr-rg8q
- alias/CVE-2022-42920
- agent/severity
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/last-modified-date
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/apache
- canonical/apache commons bcel
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- version/fedoraproject fedora/37
- package-manager/maven