Bug 530629 (CVE-2018-1417) - Security vulnerability found in OpenJ9 project
Summary: Security vulnerability found in OpenJ9 project
Status: RESOLVED FIXED
Alias: CVE-2018-1417
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2018-02-01 14:47 EST by Peter Shipton CLA
Modified: 2018-03-02 13:50 EST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Shipton CLA 2018-02-01 14:47:07 EST 
A security vulnerability has been found in the OpenJ9 project code. The OpenJ9 project is still in incubation stage and hasn't delivered any releases yet. The vulnerability also affects IBM products, one which uses an earlier version of the OpenJ9 code, and one which is based on the OpenJ9 code.

Is it ok to use IBM processes to report the vulnerability and get a CVE? The fix for the vulnerability will be delivered in OpenJ9 once IBM has released an update, and this will occur before OpenJ9 finalizes the 0.8 release.
Comment 1 Wayne Beaton CLA 2018-02-01 15:49:54 EST 
(In reply to Peter Shipton from comment #0)
> Is it ok to use IBM processes to report the vulnerability and get a CVE? 

+1

Makes sense to me.
Comment 2 Peter Shipton CLA 2018-02-09 13:34:16 EST 
The vulnerability is http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1417
Comment 3 Peter Shipton CLA 2018-03-01 14:29:44 EST 
The fix for the vulnerability is delivered to OpenJ9, and included in the 0.8.0 release.
Comment 4 Wayne Beaton CLA 2018-03-02 10:43:29 EST 
Since this has been disclosed to Mitre, I believe that we can turn off the "committer-only" flag and disclose this ourselves. If my assumption is correct, can you please turn off that flag?
Comment 5 Peter Shipton CLA 2018-03-02 13:50:40 EST 
Agreed and done.