2257728 – (CVE-2024-20918) CVE-2024-20918 OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468)

Bug 2257728 (CVE-2024-20918) - CVE-2024-20918 OpenJDK: array out-of-bounds access due to missing range check in C1 compiler (8314468)

Summary: CVE-2024-20918 OpenJDK: array out-of-bounds access due to missing range check...

Keywords:
Status:	NEW
Alias:	CVE-2024-20918
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2257303
Blocks:	2257260
TreeView+	depends on / blocked

Reported:	2024-01-10 16:12 UTC by Mauro Matteo Cascella
Modified:	2025-01-24 15:52 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2024:0303	None	None	None	2024-01-18 20:02:22 UTC
Red Hat Product Errata	RHBA-2024:0309	None	None	None	2024-01-22 01:01:35 UTC
Red Hat Product Errata	RHBA-2024:0314	None	None	None	2024-01-22 03:26:19 UTC
Red Hat Product Errata	RHBA-2024:0321	None	None	None	2024-01-22 14:00:30 UTC
Red Hat Product Errata	RHBA-2024:0323	None	None	None	2024-01-22 14:38:19 UTC
Red Hat Product Errata	RHBA-2024:0324	None	None	None	2024-01-22 18:01:31 UTC
Red Hat Product Errata	RHBA-2024:0326	None	None	None	2024-01-22 18:05:14 UTC
Red Hat Product Errata	RHBA-2024:0327	None	None	None	2024-01-22 17:59:04 UTC
Red Hat Product Errata	RHBA-2024:0328	None	None	None	2024-01-22 18:04:24 UTC
Red Hat Product Errata	RHBA-2024:0329	None	None	None	2024-01-22 18:04:15 UTC
Red Hat Product Errata	RHBA-2024:0330	None	None	None	2024-01-22 18:04:38 UTC
Red Hat Product Errata	RHBA-2024:0331	None	None	None	2024-01-22 18:00:06 UTC
Red Hat Product Errata	RHBA-2024:0377	None	None	None	2024-01-23 17:17:53 UTC
Red Hat Product Errata	RHBA-2024:0491	None	None	None	2024-01-25 11:26:20 UTC
Red Hat Product Errata	RHBA-2024:0492	None	None	None	2024-01-25 13:00:28 UTC
Red Hat Product Errata	RHBA-2024:0493	None	None	None	2024-01-25 13:07:03 UTC
Red Hat Product Errata	RHBA-2024:0496	None	None	None	2024-01-25 14:35:11 UTC
Red Hat Product Errata	RHBA-2024:0534	None	None	None	2024-01-29 01:08:59 UTC
Red Hat Product Errata	RHBA-2024:0535	None	None	None	2024-01-29 01:16:33 UTC
Red Hat Product Errata	RHBA-2024:0544	None	None	None	2024-01-29 13:44:02 UTC
Red Hat Product Errata	RHBA-2024:0560	None	None	None	2024-01-30 10:53:59 UTC
Red Hat Product Errata	RHBA-2024:0567	None	None	None	2024-01-30 13:27:24 UTC
Red Hat Product Errata	RHBA-2024:0707	None	None	None	2024-02-06 18:43:57 UTC
Red Hat Product Errata	RHBA-2024:0708	None	None	None	2024-02-06 18:44:16 UTC
Red Hat Product Errata	RHBA-2024:0784	None	None	None	2024-02-12 13:13:26 UTC
Red Hat Product Errata	RHBA-2024:0787	None	None	None	2024-02-12 14:57:43 UTC
Red Hat Product Errata	RHBA-2024:0794	None	None	None	2024-02-12 18:44:29 UTC
Red Hat Product Errata	RHBA-2024:0935	None	None	None	2024-02-21 19:16:02 UTC
Red Hat Product Errata	RHBA-2024:0985	None	None	None	2024-02-26 11:35:56 UTC
Red Hat Product Errata	RHSA-2024:0222	None	None	None	2024-01-17 13:54:44 UTC
Red Hat Product Errata	RHSA-2024:0223	None	None	None	2024-01-17 15:56:02 UTC
Red Hat Product Errata	RHSA-2024:0224	None	None	None	2024-01-17 15:44:28 UTC
Red Hat Product Errata	RHSA-2024:0225	None	None	None	2024-01-17 09:01:24 UTC
Red Hat Product Errata	RHSA-2024:0226	None	None	None	2024-01-17 15:57:39 UTC
Red Hat Product Errata	RHSA-2024:0228	None	None	None	2024-01-17 19:06:55 UTC
Red Hat Product Errata	RHSA-2024:0230	None	None	None	2024-01-17 13:55:05 UTC
Red Hat Product Errata	RHSA-2024:0231	None	None	None	2024-01-17 14:00:55 UTC
Red Hat Product Errata	RHSA-2024:0232	None	None	None	2024-01-17 15:56:22 UTC
Red Hat Product Errata	RHSA-2024:0233	None	None	None	2024-01-17 16:52:51 UTC
Red Hat Product Errata	RHSA-2024:0234	None	None	None	2024-01-17 09:01:45 UTC
Red Hat Product Errata	RHSA-2024:0235	None	None	None	2024-01-17 17:51:26 UTC
Red Hat Product Errata	RHSA-2024:0237	None	None	None	2024-01-17 19:15:05 UTC
Red Hat Product Errata	RHSA-2024:0239	None	None	None	2024-01-17 14:01:04 UTC
Red Hat Product Errata	RHSA-2024:0240	None	None	None	2024-01-17 14:07:11 UTC
Red Hat Product Errata	RHSA-2024:0241	None	None	None	2024-01-17 09:01:54 UTC
Red Hat Product Errata	RHSA-2024:0242	None	None	None	2024-01-17 19:14:52 UTC
Red Hat Product Errata	RHSA-2024:0244	None	None	None	2024-01-17 19:15:54 UTC
Red Hat Product Errata	RHSA-2024:0246	None	None	None	2024-01-17 14:06:58 UTC
Red Hat Product Errata	RHSA-2024:0247	None	None	None	2024-01-17 14:15:30 UTC
Red Hat Product Errata	RHSA-2024:0248	None	None	None	2024-01-17 19:19:55 UTC
Red Hat Product Errata	RHSA-2024:0249	None	None	None	2024-01-17 08:56:51 UTC
Red Hat Product Errata	RHSA-2024:0250	None	None	None	2024-01-17 14:15:45 UTC
Red Hat Product Errata	RHSA-2024:0265	None	None	None	2024-01-17 18:59:31 UTC
Red Hat Product Errata	RHSA-2024:0266	None	None	None	2024-01-18 18:06:42 UTC
Red Hat Product Errata	RHSA-2024:0267	None	None	None	2024-01-17 19:01:02 UTC

Description Mauro Matteo Cascella 2024-01-10 16:12:00 UTC

It was discovered that the Hotspot component of OpenJDK was missing range checks when accessing an array in a loop. An untrusted Java application or applet could use this flaw to corrupt JVM memory and cause it to crash or, possibly, execute arbitrary code, bypassing Java sandbox restrictions.

Comment 8 errata-xmlrpc 2024-01-17 08:56:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0249 https://access.redhat.com/errata/RHSA-2024:0249

Comment 9 errata-xmlrpc 2024-01-17 09:01:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0225 https://access.redhat.com/errata/RHSA-2024:0225

Comment 10 errata-xmlrpc 2024-01-17 09:01:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0234 https://access.redhat.com/errata/RHSA-2024:0234

Comment 11 errata-xmlrpc 2024-01-17 09:01:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0241 https://access.redhat.com/errata/RHSA-2024:0241

Comment 12 errata-xmlrpc 2024-01-17 13:54:43 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u402

Via RHSA-2024:0222 https://access.redhat.com/errata/RHSA-2024:0222

Comment 13 errata-xmlrpc 2024-01-17 13:55:04 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 8u402

Via RHSA-2024:0230 https://access.redhat.com/errata/RHSA-2024:0230

Comment 14 errata-xmlrpc 2024-01-17 14:00:53 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.22

Via RHSA-2024:0231 https://access.redhat.com/errata/RHSA-2024:0231

Comment 15 errata-xmlrpc 2024-01-17 14:01:02 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 11.0.22

Via RHSA-2024:0239 https://access.redhat.com/errata/RHSA-2024:0239

Comment 16 errata-xmlrpc 2024-01-17 14:06:57 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.10

Via RHSA-2024:0246 https://access.redhat.com/errata/RHSA-2024:0246

Comment 17 errata-xmlrpc 2024-01-17 14:07:10 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 17.0.10

Via RHSA-2024:0240 https://access.redhat.com/errata/RHSA-2024:0240

Comment 18 errata-xmlrpc 2024-01-17 14:15:29 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 21.0.2

Via RHSA-2024:0247 https://access.redhat.com/errata/RHSA-2024:0247

Comment 19 errata-xmlrpc 2024-01-17 14:15:44 UTC

This issue has been addressed in the following products:

  Red Hat Build of OpenJDK 21.0.2

Via RHSA-2024:0250 https://access.redhat.com/errata/RHSA-2024:0250

Comment 20 errata-xmlrpc 2024-01-17 15:44:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:0224 https://access.redhat.com/errata/RHSA-2024:0224

Comment 21 errata-xmlrpc 2024-01-17 15:56:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:0223 https://access.redhat.com/errata/RHSA-2024:0223

Comment 22 errata-xmlrpc 2024-01-17 15:56:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:0232 https://access.redhat.com/errata/RHSA-2024:0232

Comment 23 errata-xmlrpc 2024-01-17 15:57:38 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0226 https://access.redhat.com/errata/RHSA-2024:0226

Comment 24 errata-xmlrpc 2024-01-17 16:52:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:0233 https://access.redhat.com/errata/RHSA-2024:0233

Comment 25 errata-xmlrpc 2024-01-17 17:51:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0235 https://access.redhat.com/errata/RHSA-2024:0235

Comment 26 errata-xmlrpc 2024-01-17 18:59:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support
  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 9.2 Extended Update Support
  Red Hat Enterprise Linux 9

Via RHSA-2024:0265 https://access.redhat.com/errata/RHSA-2024:0265

Comment 27 errata-xmlrpc 2024-01-17 19:01:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support
  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 9.2 Extended Update Support
  Red Hat Enterprise Linux 9

Via RHSA-2024:0267 https://access.redhat.com/errata/RHSA-2024:0267

Comment 28 errata-xmlrpc 2024-01-17 19:06:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0228 https://access.redhat.com/errata/RHSA-2024:0228

Comment 29 errata-xmlrpc 2024-01-17 19:14:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0242 https://access.redhat.com/errata/RHSA-2024:0242

Comment 30 errata-xmlrpc 2024-01-17 19:15:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0237 https://access.redhat.com/errata/RHSA-2024:0237

Comment 31 errata-xmlrpc 2024-01-17 19:15:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0244 https://access.redhat.com/errata/RHSA-2024:0244

Comment 32 errata-xmlrpc 2024-01-17 19:19:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0248 https://access.redhat.com/errata/RHSA-2024:0248

Comment 33 errata-xmlrpc 2024-01-18 18:06:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support
  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 9.2 Extended Update Support
  Red Hat Enterprise Linux 9

Via RHSA-2024:0266 https://access.redhat.com/errata/RHSA-2024:0266

Comment 37 Mauro Matteo Cascella 2024-02-14 20:15:28 UTC

OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/199cb32f93a625626e09db625c63595d4bbe9fea

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/4576161fb39dc5eea99b050d44935280bb27ebb9

OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/35d9cb6ff437b121f83c67202deee682b9152ad2

OpenJDK-21 upstream commit:
https://github.com/openjdk/jdk21u/commit/2621f68c0672092254a52414705d0e916a3a3fbc

Comment 38 Mauro Matteo Cascella 2024-02-15 09:20:24 UTC

Oracle CPU January 2024:

https://www.oracle.com/security-alerts/cpujan2024.html#AppendixJAVA

Fixed in Oracle Java SE 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2.

Release notes:
https://www.oracle.com/java/technologies/javase/8u401-relnotes.html
https://www.oracle.com/java/technologies/javase/8u401-perf-relnotes.html
https://www.oracle.com/java/technologies/javase/11-0-22-relnotes.html
https://www.oracle.com/java/technologies/javase/17-0-10-relnotes.html
https://www.oracle.com/java/technologies/javase/21-0-2-relnotes.html

Comment 39 Mauro Matteo Cascella 2024-02-15 09:28:15 UTC

Relevant excerpt from release notes:

-> Potential Performance Regression Due to Limited Range Check Elimination (JDK-8314468 (not public))
When the C1 compiler is the only compiler available to the VM, it applies loop predication to remove array access range checks from loop bodies. Due to a defect, this optimization was disabled, potentially leading to a performance regression.

This only affects the client VM or VM's running with the non-default command line flags -XX:+NeverActAsServerClassMachine or -XX:TieredStopAtLevel=[1,2,3].

Note You need to log in before you can comment on or make changes to this bug.