CVE-2021-41035 : Which products will be affected? (25th Oct, 2021)

Preface: The Eclipse OpenJ9 virtual machine (VM) implements the Java Virtual Machine Specification. Most Java applications should run on an OpenJDK that contains the OpenJ9 VM without changing anything. However, because it is an independent implementation there are some differences compared to the HotSpot VM, which is the default OpenJDK VM and is also included in an Oracle JDK.

Background: OpenJ9 is a high performance, scalable, Java™ virtual machine (VM) implementation that is fully compliant with the Java Virtual Machine Specification.

Building OpenJDK with OpenJ9

$ git clone https://github.com/ibmruntimes/openj9-openjdk-jdk9
$ cd openj9-openjdk-jdk9
$ bash ./get_source.sh
$ bash ./configure –with-freemarker-jar=freemarker.jar
$ make images
$ cd build/linux-x86_64-normal-server-release/images/
$./jdk/bin/java -version

The VM has connections into the rest of the JDK
To build OpenJDK with OpenJ9 requires patches

  • Build process
  • Class libraries

Vulnerability details: In Eclipse Openj9 before version 0.29.0, the JVM does not throw IllegalAccessError for MethodHandles that invoke inaccessible interface methods.

Risk rating: NVD score not yet provided.

Official announcement – https://bugs.eclipse.org/bugs/show_bug.cgi?id=576395

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.