CVE-2022-42920: 
Java vulnerability analysis and mitigation

Apache Commons BCEL (Byte Code Engineering Library) versions prior to 6.6.0 contained a vulnerability identified as CVE-2022-42920. The vulnerability was discovered in October 2022 and involves APIs that normally only allow changing specific class characteristics. Due to an out-of-bounds writing issue, these APIs could be exploited to produce arbitrary bytecode, potentially giving attackers more control over the resulting bytecode than intended (CVE Details, Debian Security).

The vulnerability stems from an out-of-bounds writing issue in the BCEL APIs that could be exploited when applications pass attacker-controllable data to these APIs. The issue was tracked as BCEL-363 and was initially reported by Felix Wilhelm from Google. The fix was implemented through GitHub pull request #147 by Richard Atkins, derived from an OpenJDK commit by Aleksei Voitylov and Christoph Langer (OSS Security).

When exploited, this vulnerability could allow attackers to produce arbitrary bytecode through applications that use the affected BCEL APIs. This could potentially lead to increased control over the resulting bytecode beyond the intended limitations of the APIs, posing a significant security risk for applications processing untrusted input (CVE Details).

The recommended mitigation is to update to Apache Commons BCEL version 6.6.0 or later. Various Linux distributions have also released security updates to address this vulnerability, including Fedora, which patched versions 35, 36, and 37 with specific updates (Fedora Update).