Vulnerability Name: CVE-2023-2597 (CCN-255906) Assigned: 2023-04-24 Published: 2023-04-24 Updated: 2023-05-30 Summary: Eclipse Openj9 is vulnerable to a buffer overflow, caused by improper bounds checking by the getCachedUTFString() function. By using specially crafted input, a local authenticated attacker could overflow a buffer and execute arbitrary code on the system. CVSS v3 Severity: 7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): HighPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
7.0 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 6.1 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): HighPrivileges Required (PR): LowUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 6.0 Medium (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:C/I:C/A:C Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): HighAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Consequences: Gain Access References: Source: MITRECVE-2023-2597 openj9-cve20232597-bo(255906) Add check for string length in getCachedUTFString() #17259 Multiple vulnerabilities may affect IBM Semeru Runtime Multiple vulnerabilities may affect IBM SDK, Java Technology Edition IBM Sterling Partner Engagement Manager vulnerable to buffer overflow due to OpenJDK (CVE-2023-2597) IBM Operational Decision Manager June 2023 - Multiple CVEs Vulnerabilities in Java affects IBM Cloud Application Business Insights - CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-2597, CVE-2023-21830 & CVE-2023-21843 Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. Multiple vulnerabilities in IBM SDK Java affect IBM App Connect Enterprise and IBM Integration Bus IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. Multiple CVEs may affect IBM? SDK, Java? Technology Edition shipped with IBM CICS TX Standard Multiple CVEs may affect IBM SDK, Java Technology Edition shipped with IBM CICS TX Advanced Multiple CVEs may affect IBM SDK, Java Technology Edition shipped with IBM TXSeries for Multiplatforms TADDM affected by multiple vulnerabilities due to IBM Java and its runtime IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to unspecified multiple vulnerabilities in Oracle Java SE, Oracle GraalVM Enterprise Edition IBM Sterling Connect:Direct File Agent is vulnerable to a buffer overflow and unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition (CVE-2023-21930, CVE-2023-21939, CVE-2023-21967, CVE-2023-21968) Multiple vulnerabilities in IBM Java SDK affects App Connect Professional. Multiple Vulnerabilities in IBM Java SDK affect Liberty for Java for IBM Cloud due to April 2023 CPU IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition Multiple vulnerabilities in IBM Java SDK affect AIX IBM Sterling Connect:Direct for UNIX is vulnerable to unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition IBM Sterling Connect:Direct FTP+ is vulnerable to unspecified vulnerabilities due to IBM Runtime Environment Java Technology Edition Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester IBM Event Streams is affected by multiple Semaru Java vulnerabilities IBM Security SOAR is using a component with multiple known vulnerabilities IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface due to Java and Eclipse Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2023 IBM PowerVM Novalink is vulnerable because An unspecified vulnerability in Oracle Java SE. (CVE-2023-21930) Vulnerable Configuration: Configuration CCN 1 :cpe:/a:ibm:cics_transaction_gateway:9.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cics_transaction_gateway:9.1:*:*:*:*:*:*:* OR cpe:/a:ibm:txseries:8.1:*:*:*:*:*:*:* OR cpe:/a:ibm:txseries:8.2:*:*:*:*:*:*:* OR cpe:/a:ibm:license_metric_tool:9.2:*:*:*:*:*:*:* OR cpe:/o:ibm:aix:7.2:*:*:*:*:*:*:* OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.5:*:*:*:*:*:*:* OR cpe:/a:ibm:operations_analytics_predictive_insights:1.3.6:*:*:*:*:*:*:* OR cpe:/a:ibm:rational_functional_tester:9.2:*:*:*:*:*:*:* OR cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:* OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:* OR cpe:/a:ibm:java:7.1.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:java:8.0.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:operational_decision_manager:8.10:*:*:*:*:*:*:* OR cpe:/a:ibm:vios:3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:txseries:9.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:event_streams:10.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:* OR cpe:/o:ibm:aix:7.3:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:* OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:* OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:* OR cpe:/a:ibm:sterling_connect:direct:6.0.0.0:*:*:*:*:unix:*:* OR cpe:/a:ibm:sterling_connect:direct:6.1.0.0:*:*:*:*:unix:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:* OR cpe:/a:ibm:cics_transaction_gateway:9.2:*:*:*:*:*:*:* OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:* Oval Definitions BACK
ibm cics transaction gateway 9.0
ibm cics transaction gateway 9.1
ibm txseries 8.1
ibm txseries 8.2
ibm license metric tool 9.2
ibm aix 7.2
ibm operations analytics predictive insights 1.3.5
ibm operations analytics predictive insights 1.3.6
ibm rational functional tester 9.2
ibm app connect 11.0.0.1
ibm rational functional tester 9.5
ibm java 7.1.0.0
ibm java 8.0.0.0
ibm operational decision manager 8.10
ibm vios 3.1
ibm txseries 9.1
ibm tivoli application dependency discovery manager 7.3.0.0
ibm event streams 10.0.0
ibm app connect enterprise 12.0.1.0
ibm aix 7.3
ibm cloud pak for business automation 18.0.0
ibm cloud pak for business automation 18.0.2
ibm cloud pak for business automation 19.0.1
ibm cloud pak for business automation 19.0.3
ibm cloud pak for business automation 20.0.1
ibm cloud pak for business automation 20.0.3
ibm cloud pak for business automation 21.0.1 -
ibm cloud pak for business automation 21.0.2 -
ibm cloud pak for business automation 21.0.3 -
ibm cics tx 11.1
ibm cics tx 11.1
ibm sterling connect:direct 6.0.0.0
ibm sterling connect:direct 6.1.0.0
ibm cloud pak for business automation 22.0.1 -
ibm cics transaction gateway 9.2
ibm cloud pak for business automation 22.0.2 -
Denotes that component is vulnerable