CVE-2023-5676: Eclipse OpenJ9 possible infinite busy hang
First published: Wed Nov 15 2023(Updated: )
Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eclipse Openj9 | <0.41.0 | |
| redhat/java-1.8.0-ibm | <8.0.8.15 | 8.0.8.15 |
| IBM Cognos Analytics | <=12.0.0-12.0.2 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/eclipse-openj9/openj9/pull/18085
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/13
- https://www.ibm.com/support/pages/node/7078433
- https://www.ibm.com/support/pages/apar/IJ49075
- https://www.ibm.com/support/pages/java-sdk-security-vulnerabilities#IBM_Security_Update_November_2023
- https://access.redhat.com/errata/RHSA-2024:0866
- https://access.redhat.com/errata/RHSA-2024:0879
- https://bugzilla.redhat.com/show_bug.cgi?id=2250255
- https://exchange.xforce.ibmcloud.com/vulnerabilities/271615
- https://www.ibm.com/support/pages/node/7156941 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for Eclipse OpenJ9?
The vulnerability ID for Eclipse OpenJ9 is CVE-2023-5676.
What is the severity of CVE-2023-5676?
The severity of CVE-2023-5676 is medium with a severity value of 5.9.
How can the JVM in Eclipse OpenJ9 be forced into an infinite busy hang?
The JVM in Eclipse OpenJ9 can be forced into an infinite busy hang if a shutdown signal (SIGTERM, SIGINT, or SIGHUP) is received before the JVM has finished initializing.
Which version of Eclipse OpenJ9 is affected by CVE-2023-5676?
Eclipse OpenJ9 before version 0.41.0 is affected by CVE-2023-5676.
Are there any references for CVE-2023-5676?
Yes, you can find references for CVE-2023-5676 at the following links: [Link 1](https://github.com/eclipse-openj9/openj9/pull/18085), [Link 2](https://gitlab.eclipse.org/security/cve-assignement/-/issues/13).
- collector/nvd-api
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/title
- agent/weakness
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-5676
- agent/software-canonical-lookup
- agent/event
- collector/ibm-support
- source/IBM
- agent/last-modified-date
- agent/references
- agent/tags
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/eclipse
- canonical/eclipse openj9
- package-manager/redhat
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.2
- version/ibm cognos analytics/11.2.0-11.2.4 fp3