oss-sec mailing list archives

CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing

From: "Gary D. Gregory" <ggregory () apache org>
Date: Fri, 04 Nov 2022 17:35:34 +0000

Description:

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. 
However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be 
abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the 
resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

This issue is being tracked as BCEL-363

Credit:

Reported by Felix Wilhelm (Google); GitHub pull request to Apache Commons BCEL #147 by Richard Atkins 
(https://github.com/rjatkins); PR derived from OpenJDK (https://github.com/openjdk/jdk11u/) commit 
13bf52c8d876528a43be7cb77a1f452d29a21492 by Aleksei Voitylov and RealCLanger (Christoph Langer 
https://github.com/RealCLanger)

Current thread:

CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing Gary D. Gregory (Nov 04)
- Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing John Helmert III (Nov 04)
  - Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing John Helmert III (Nov 07)