CVE-2024-10917: 
Homebrew vulnerability analysis and mitigation

CVE-2024-10917 affects Eclipse OpenJ9 versions up to 0.47, where the JNI function GetStringUTFLength may return an incorrect value due to integer wraparound. The vulnerability was discovered and disclosed in late 2024, with a fix released in OpenJ9 version 0.48. The issue affects all Eclipse OpenJ9 installations from version 0.8.0 up to version 0.47.0 (NVD, Eclipse CVE).

The vulnerability is classified as an Integer Overflow or Wraparound (CWE-190) issue. The JNI function GetStringUTFLength could return an incorrect value that has wrapped around. In version 0.48, while the issue is fixed, the function may truncate the value to include a smaller number of characters. The vulnerability has received a CVSS v3.1 base score of 5.3 (MEDIUM) from NIST with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, while Eclipse Foundation rated it as 3.7 (LOW) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability could potentially lead to incorrect string length calculations in JNI operations, which might affect the integrity of data processing in Java applications using the affected OpenJ9 versions. The impact is primarily limited to data integrity issues, as indicated by the CVSS scoring which shows no confidentiality impact and low integrity impact (NVD).

The vulnerability has been fixed in Eclipse OpenJ9 version 0.48.0. Users are advised to upgrade to this version or later. The fix includes modifications to handle the length calculation properly and implements restrictions while copying a string to UTF-8 to avoid overflow (OpenJ9 Release, OpenJ9 PR).