First published: Wed Nov 15 2023(Updated: )
Eclipse OpenJ9 is vulnerable to a denial of service, caused by a flaw when a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause an infinite busy hang on a spinlock or a segmentation fault.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
Eclipse Openj9 | <0.41.0 | |
redhat/java-1.8.0-ibm | <8.0.8.15 | 8.0.8.15 |
IBM Cognos Analytics | <=12.0.0-12.0.2 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for Eclipse OpenJ9 is CVE-2023-5676.
The severity of CVE-2023-5676 is medium with a severity value of 5.9.
The JVM in Eclipse OpenJ9 can be forced into an infinite busy hang if a shutdown signal (SIGTERM, SIGINT, or SIGHUP) is received before the JVM has finished initializing.
Eclipse OpenJ9 before version 0.41.0 is affected by CVE-2023-5676.
Yes, you can find references for CVE-2023-5676 at the following links: [Link 1](https://github.com/eclipse-openj9/openj9/pull/18085), [Link 2](https://gitlab.eclipse.org/security/cve-assignement/-/issues/13).