=====================================================================

                               CERT-Renater

                    Note d'Information No. 2022/VULN416

_____________________________________________________________________

DATE                : 10/11/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Commons BCEL versions
                                    prior to 6.6.0.

=====================================================================
https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
_____________________________________________________________________

CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing
arbitrary bytecode via out-of-bounds writing


Description:

Apache Commons BCEL has a number of APIs that would normally only
allow changing specific class characteristics. However, due to an
out-of-bounds writing issue, these APIs can be used to produce
arbitrary bytecode. This could be abused in applications that
pass attacker-controllable data to those APIs, giving the attacker
more control over the resulting bytecode than otherwise expected.
Update to Apache Commons BCEL 6.6.0.

This issue is being tracked as BCEL-363


Credit:

Reported by Felix Wilhelm (Google); GitHub pull request to
Apache Commons BCEL #147 by Richard Atkins
(https://github.com/rjatkins); PR derived from OpenJDK
(https://github.com/openjdk/jdk11u/)
commit 13bf52c8d876528a43be7cb77a1f452d29a21492 by
Aleksei Voitylov and RealCLanger
(Christoph Langer https://github.com/RealCLanger)


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================