Vulnerability Name:

CVE-2021-28167 (CCN-200533)

Assigned:2021-02-21
Published:2021-02-21
Updated:2021-04-27
Summary:In Eclipse Openj9 to version 0.25.0, usage of the jdk.internal.reflect.ConstantPool API causes the JVM in some cases to pre-resolve certain constant pool entries. This allows a user to call static methods or access static members without running the class initialization method, and may allow a user to observe uninitialized values.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-909
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2021-28167

Source: XF
Type: UNKNOWN
eclipse-cve202128167-sec-bypass(200533)

Source: CCN
Type: Openj9 GIT Repository
clinit sometimes will not be invoked when calling static methods at first. #12016

Source: CONFIRM
Type: Exploit, Patch, Third Party Advisory
https://github.com/eclipse/openj9/issues/12016

Source: CCN
Type: IBM Security Bulletin 6832432 (Java)
CVE-2021-28167 may affect IBM SDK, Java Technology Edition

Source: CCN
Type: IBM Security Bulletin 6841225 (Cloud Pak System Software)
Vulnerability in IBM Java SDK affects Cloud Pak System [CVE-2021-28167]

Source: CCN
Type: IBM Security Bulletin 6841477 (ILOG CPLEX Optimization Studio)
A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2021-28167)

Source: CCN
Type: IBM Security Bulletin 6845554 (Rational Business Developer)
Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer

Source: CCN
Type: IBM Security Bulletin 6851341 (CICS Transaction Gateway)
Vulnerability (CVE-2021-28167) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition

Source: CCN
Type: IBM Security Bulletin 6851437 (AIX)
Multiple vulnerabilities in IBM Java SDK affect AIX

Source: CCN
Type: IBM Security Bulletin 6855639 (Tivoli Netcool Configuration Manager)
A vulnerability exists in the IBM SDK, Java Technology Edition affecting IBM Tivoli Netcool Configuration Manager (CVE-2021-28167).

Source: CCN
Type: IBM Security Bulletin 6855731 (SPSS Collaboration and Deployment Services)
A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167)

Source: CCN
Type: IBM Security Bulletin 6953615 (Security Verify Access)
A Security Vulnerability has been identified in the IBM Java SDK as shipped with IBM Security Verify Access.

Vulnerable Configuration:Configuration 1:
  • cpe:/a:eclipse:openj9:*:*:*:*:*:*:*:* (Version <= 0.25.0)

    • Configuration CCN 1:
  • cpe:/a:eclipse:openj9:0.25.0:-:*:*:*:*:*:*
  • AND
  • cpe:/o:ibm:aix:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_transaction_gateway:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_transaction_gateway:9.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_business_developer:9.5:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_collaboration_and_deployment_services:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_collaboration_and_deployment_services:8.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_collaboration_and_deployment_services:8.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:ilog_cplex_optimization_studio:12.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:ilog_cplex_optimization_studio:12.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:8.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:vios:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:ilog_cplex_optimization_studio:12.10:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_business_developer:9.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_collaboration_and_deployment_services:8.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_collaboration_and_deployment_services:8.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:java:8.0.6.30:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:aix:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_transaction_gateway:9.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.4.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    eclipse openj9 *
    eclipse openj9 0.25.0 -
    ibm aix 7.1
    ibm cics transaction gateway 9.0
    ibm cics transaction gateway 9.1
    ibm tivoli netcool configuration manager 6.4.1
    ibm rational business developer 9.5
    ibm aix 7.2
    ibm tivoli netcool configuration manager 6.4.2
    ibm spss collaboration and deployment services 8.0
    ibm spss collaboration and deployment services 8.1
    ibm spss collaboration and deployment services 8.1.1
    ibm ilog cplex optimization studio 12.8
    ibm ilog cplex optimization studio 12.9
    ibm java 8.0.0.0
    ibm vios 3.1
    ibm ilog cplex optimization studio 12.10
    ibm rational business developer 9.6
    ibm spss collaboration and deployment services 8.2
    ibm spss collaboration and deployment services 8.2.1
    ibm security verify access 10.0.2.0
    ibm java 8.0.6.30
    ibm security verify access 10.0.0.0
    ibm security verify access 10.0.1.0
    ibm aix 7.3
    ibm security verify access 10.0.3.0
    ibm cics transaction gateway 9.2
    ibm security verify access 10.0.4.0