Eclipse OpenJ9 JITServer Denial-of-Service Vulnerability via Crafted TCP Message

A denial-of-service vulnerability has been identified in Eclipse OpenJ9 JITServer versions 0.21 prior to 0.59. A remote attacker can crash the server by sending a 32-byte crafted TCP message. The vulnerability arises because the message deserialization process does not properly validate the size of data being read, allowing for an out-of-bounds heap read that leads to a segmentation fault. This issue affects JITServer deployments running without TLS client authentication, which is the default configuration.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the JITServer process. This disruption affects all JIT compilation threads, leading to a complete failure of JIT compilation services. As a result, the Java Virtual Machine (JVM) may revert to interpreted mode or become unresponsive. Additionally, the out-of-bounds read can leak uninitialized heap memory, potentially disclosing sensitive information.

Reproduction

To reproduce this vulnerability, start JITServer on the default TCP port 38400 without authentication. Then, send a crafted TCP message that exploits the deserialization process by including an oversized value in the 'DataDescriptor._size' field. This can be done using a Python script that connects to the JITServer and sends the malicious payload. The server will crash, indicating successful exploitation.

Remediation

Users can upgrade to Eclipse OpenJ9 version 0.59 or later, where this vulnerability has been patched.