Vulnerability Name: CVE-2021-41041 (CCN-225398) Assigned: 2021-09-13 Published: 2022-04-19 Updated: 2022-05-05 Summary: In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles. CVSS v3 Severity: 5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
5.3 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 4.6 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): LowAvailibility (A): None
CVSS v2 Severity: 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): PartialAvailibility (A): None
Vulnerability Type: CWE-252 Vulnerability Consequences: Bypass Security References: Source: MITRECVE-2021-41041 https://bugs.eclipse.org/bugs/show_bug.cgi?id=579744 eclipse-openj9-cve202141041-sec-bypass(225398) Add the exception check for initializeClassIfNeeded() #14935 https://github.com/eclipse-openj9/openj9/pull/14935 Java SE as used by IBM Cloud Pak For Security is vulnerable to information disclosure and denial of service. Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. CVE-2021-41041 may affect IBM SDK, Java Technology Edition CVE-2021-41041 may affect IBM Semeru Runtime Vulnerability in IBM SDK, Java Technology (CVE-2021-41041) affects Power HMC A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM IBM TXSeries for Multiplatforms is vulnerable to allowing a remote attacker to bypass security restrictions (CVE-2021-41041). IBM CICS TX Standard is vulnerable to allowing a remote attacker to bypass security restrictions (CVE-2021-41041). IBM CICS TX Advanced is vulnerable to allowing a remote attacker to bypass security restrictions (CVE-2021-41041). IBM SDK, Java Technology Edition Quarterly CPU - Apr 2022and Jul 2022 Vulnerabilities in Eclipse OpenJ9 affects AIX LPARs in IBM PureData System for Operational Analytics (CVE-2021-41041) IBM SDK, Java Technology Edition, Security Update July 2022 A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2021-41041) Security bypass vulnerability in IBM Java SDK affects IBM Security Guardium (CVE-2021-41041) A vulnerability in Open JDK affecting Rational Functional Tester Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2021-41041, CVE-2022-3676) Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition Multiple vulnerabilities in IBM Java SDK affect AIX IBM SDK Java Technology Edition, is used by IBM Tivoli Application Dependency Discovery Manager (TADDM) and is vulnerable to a denial of service (CVE-2022-21541, CVE-2022-21540, CVE-2021-2163) A vulnerability exists in the IBM SDK, Java Technology Edition affecting IBM Tivoli Netcool Configuration Manager (CVE-2021-41041). IBM Workload Scheduler potentially affected by vulnerability in Eclipse Openj9 (CVE-2021-41041) Multiple Vulnerabilities in IBM Java SDK affect IBM Cloud Pak System CVE-2021-41041 Vulnerable Configuration: Configuration 1 :cpe:/a:eclipse:openj9:*:*:*:*:*:*:*:* (Version < 0.32.0)Configuration 2 :cpe:/a:oracle:java_se:8:*:*:*:*:*:*:* OR cpe:/a:oracle:java_se:11:*:*:*:*:*:*:* Configuration RedHat 1 :cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:* Configuration RedHat 2 :cpe:/a:redhat:enterprise_linux:8::supplementary:*:*:*:*:* Configuration CCN 1 :cpe:/a:eclipse:openj9:0.31.0:m1:*:*:*:*:*:* AND cpe:/o:ibm:aix:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_directory_server:5.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cics_transaction_gateway:9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cics_transaction_gateway:9.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:txseries:8.2:*:*:*:*:*:*:* OR cpe:/o:ibm:aix:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_monitoring:6.3.0.7:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:ilog_cplex_optimization_studio:12.8:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:10.6:*:*:*:*:*:*:* OR cpe:/a:ibm:ilog_cplex_optimization_studio:12.9:*:*:*:*:*:*:* OR cpe:/a:ibm:java:8.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:vios:3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_directory_administrator:6.0.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:ilog_cplex_optimization_studio:12.10:*:*:*:*:*:*:* OR cpe:/a:ibm:txseries:9.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.2:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_application_developer:9.6:*:*:*:websphere:*:*:* OR cpe:/a:ibm:workload_scheduler:9.5:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium:11.4:*:*:*:*:*:*:* OR cpe:/o:ibm:aix:7.3:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.5.0:-:*:*:*:*:*:* OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:* OR cpe:/a:ibm:cics_tx:*:*:*:*:standard:*:*:* OR cpe:/a:ibm:cics_transaction_gateway:9.2:*:*:*:*:*:*:* Oval Definitions BACK
eclipse openj9 *
oracle java se 8
oracle java se 11
eclipse openj9 0.31.0 m1
ibm aix 7.1
ibm rational directory server 5.2.1
ibm cics transaction gateway 9.0
ibm cics transaction gateway 9.1
ibm tivoli netcool configuration manager 6.4.1
ibm txseries 8.2
ibm aix 7.2
ibm tivoli netcool configuration manager 6.4.2
ibm security guardium 10.5
ibm tivoli monitoring 6.3.0.7
ibm tivoli netcool/impact 7.1.0
ibm ilog cplex optimization studio 12.8
ibm security guardium 10.6
ibm ilog cplex optimization studio 12.9
ibm java 8.0.0.0
ibm vios 3.1
ibm rational directory administrator 6.0.0.2
ibm ilog cplex optimization studio 12.10
ibm txseries 9.1
ibm tivoli application dependency discovery manager 7.3.0.0
ibm security guardium 11.0
ibm security guardium 11.1
ibm qradar security information and event manager 7.4.0
ibm security guardium 11.2
ibm rational application developer 9.6
ibm workload scheduler 9.5
ibm security guardium 11.3
ibm security guardium 11.4
ibm aix 7.3
ibm qradar security information and event manager 7.5.0 -
ibm cics tx 11.1
ibm cics tx *
ibm cics transaction gateway 9.2
Denotes that component is vulnerable