IBM JDK 8 SR5 FP30 (8.0.5.30) and IBM JDK 7R1 SR4 FP40 (7.1.4.40) fix a flaw described by upstream as: Eclipse OpenJ9 is vulnerable to a buffer overflow, caused by improper bounds checking by the jio_snprintf() and jio_vsnprintf() functions. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. OpenJ9 upstream bug and commit: https://bugs.eclipse.org/bugs/show_bug.cgi?id=543659 https://github.com/eclipse/openj9/commit/0971f22d88f42cf7332364ad7430e9bd8681c970 References: https://www-01.ibm.com/support/docview.wss?uid=ibm10873332 https://developer.ibm.com/javasdk/support/security-vulnerabilities/#IBM_Security_Update_March_2019
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2019:0469 https://access.redhat.com/errata/RHSA-2019:0469
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2019:0472 https://access.redhat.com/errata/RHSA-2019:0472
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2019:0473 https://access.redhat.com/errata/RHSA-2019:0473
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2019:0474 https://access.redhat.com/errata/RHSA-2019:0474
Statement: This issue affects the versions of the java-1.8.0-ibm package as shipped with Red Hat Satellite 5. However, OpenJ9 is loaded only by taskomatic and Tomcat. These 2 processes are listening on the loopback interface only. This flaw is not known to be remotely exploitable under any supported scenario in Satellite 5.
This issue has been addressed in the following products: Red Hat Satellite 5.8 Via RHSA-2019:0640 https://access.redhat.com/errata/RHSA-2019:0640
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1238 https://access.redhat.com/errata/RHSA-2019:1238