Community
Participate
Working Groups
A security vulnerability has been found in the OpenJ9 project code. The OpenJ9 project is still in incubation stage and hasn't delivered any releases yet. The vulnerability also affects IBM products, one which uses an earlier version of the OpenJ9 code, and one which is based on the OpenJ9 code. Is it ok to use IBM processes to report the vulnerability and get a CVE? The fix for the vulnerability will be delivered in OpenJ9 once IBM has released an update, and this will occur before OpenJ9 finalizes the 0.8 release.
(In reply to Peter Shipton from comment #0) > Is it ok to use IBM processes to report the vulnerability and get a CVE? +1 Makes sense to me.
The vulnerability is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1417
The fix for the vulnerability is delivered to OpenJ9, and included in the 0.8.0 release.
Since this has been disclosed to Mitre, I believe that we can turn off the "committer-only" flag and disclose this ourselves. If my assumption is correct, can you please turn off that flag?
Agreed and done.