CVE-2024-3933: 
Homebrew vulnerability analysis and mitigation

In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, a vulnerability has been identified when running with JVM option -Xgc:concurrentScavenge. The issue affects the System.arrayCopy functionality on IBM Z platforms with hardware and software support for guarded storage. This vulnerability was assigned CVE-2024-3933 and was discovered in early 2024 (Eclipse CVE).

The vulnerability occurs when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. The issue specifically involves access to a buffer with an incorrect length value. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) by NVD and 5.3 (MEDIUM) by Eclipse Foundation. The weakness types identified include CWE-125 (Out-of-bounds Read), CWE-787 (Out-of-bounds Write), and CWE-805 (Buffer Access with Incorrect Length Value) (NVD Database).

The vulnerability allows both read and write operations to addresses beyond the end of the array range. This can potentially lead to memory corruption and system instability when exploited (Eclipse CVE).

The vulnerability has been fixed in Eclipse OpenJ9 version 0.44.0. Users are advised to upgrade to this version or later to address the security issue. A fix has been implemented through a pull request that ensures proper evaluation of constant byteLenNode of arrayCopyChild (OMR Pull Request).