CVE-2018-12547

Impact:
Critical
Public Date:
2019-03-01
CWE:
CWE-120
Bugzilla:
1685611: CVE-2018-12547 IBM JDK: buffer overflow in jio_snprintf() and jio_vsnprintf()

The MITRE CVE dictionary describes this issue as:

In Eclipse OpenJ9, prior to the 0.12.0 release, the jio_snprintf() and jio_vsnprintf() native methods ignored the length parameter. This affects existing APIs that called the functions to exceed the allocated buffer. This functions were not directly callable by non-native user code.

Find out more about CVE-2018-12547 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of the java-1.8.0-ibm package as shipped with Red Hat Satellite 5. However, OpenJ9 is loaded only by taskomatic and Tomcat. These 2 processes are listening on the loopback interface only. This flaw is not known to be remotely exploitable under any supported scenario in Satellite 5.

CVSS v3 metrics

CVSS3 Base Score 8.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.8.0-ibm) RHSA-2019:0472 2019-03-08
Red Hat Enterprise Linux Supplementary (v. 7) (java-1.7.1-ibm) RHSA-2019:0473 2019-03-08
Red Hat Enterprise Linux 8 (java-1.8.0-ibm) RHSA-2019:1238 2019-05-16
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.8.0-ibm) RHSA-2019:0469 2019-03-06
Red Hat Satellite 5.8 (RHEL v.6) (java-1.8.0-ibm) RHSA-2019:0640 2019-03-25
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.1-ibm) RHSA-2019:0474 2019-03-07
Last Modified

CVE description copyright © 2017, The MITRE Corporation