oss-sec mailing list archives
Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing
From: John Helmert III <ajak () gentoo org>
Date: Fri, 4 Nov 2022 15:54:46 -0500
On Fri, Nov 04, 2022 at 05:35:34PM +0000, Gary D. Gregory wrote:
Description: Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0. This issue is being tracked as BCEL-363 Credit: Reported by Felix Wilhelm (Google); GitHub pull request to Apache Commons BCEL #147 by Richard Atkins (https://github.com/rjatkins); PR derived from OpenJDK (https://github.com/openjdk/jdk11u/) commit 13bf52c8d876528a43be7cb77a1f452d29a21492 by Aleksei Voitylov and RealCLanger (Christoph Langer https://github.com/RealCLanger)
This appears to be a duplicate of CVE-2022-34169 (also issued by the Apache CNA), and previously discussed on this list at [1]. It was eventually reported to the list that the vulnerability was actually in bcel [2]. [1] https://www.openwall.com/lists/oss-security/2022/07/19/5 [2] https://www.openwall.com/lists/oss-security/2022/10/18/2
Attachment:
signature.asc
Description:
Current thread:
- CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing Gary D. Gregory (Nov 04)
- Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing John Helmert III (Nov 04)