Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-5676: Don't invoke shutdown signal handler until JVM init completes by babsingh · Pull Request #18085 · eclipse-openj9/openj9

In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing.

CVE
#java

JVM init path: J9_CreateJavaVM.
JVM exit paths: protectedDestroyJavaVM and exitJavaVM.

A segfault or other side-effects can happen if the JVM init and
exit paths execute concurrently.

The exit path can be taken if a shutdown signal is raised and the
shutdown handler is invoked. JVM shutdown signals are SIGINT, SIGTERM
and SIGHUP.

Preventing invocation of the exit path from the shutdown signal handler
until the JVM initialization completes resolves the above side-effects.

Related:

  • Sync JVM init and exit paths #17101
  • Revert “Sync JVM init and exit paths” #17438

Related news

Red Hat Security Advisory 2024-0879-03

Red Hat Security Advisory 2024-0879-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary. Issues addressed include denial of service and deserialization vulnerabilities.

Red Hat Security Advisory 2024-0866-03

Red Hat Security Advisory 2024-0866-03 - An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and deserialization vulnerabilities.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907