CVE-2022-42920
Publication date 7 November 2022
Last updated 9 January 2025
Ubuntu priority
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| bcel | 24.10 oracular |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Notes
john-breton
Duplicate of CVE-2022-34169. But CVE-2022-34169 was assigned for Apache Xalan Java XSLT library, whereas CVE-2022-42920 is associated with bcel itself. Will patch as this CVE.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
9.8 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7208-1
- Apache Commons BCEL vulnerability
- 16 January 2025
Other references
- https://www.openwall.com/lists/oss-security/2022/11/04/6
- https://www.openwall.com/lists/oss-security/2022/11/04/8
- https://github.com/apache/commons-bcel/pull/147
- https://github.com/apache/commons-bcel/commit/f3267cbcc900f80851d561bdd16b239d936947f5
- https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
- https://www.cve.org/CVERecord?id=CVE-2022-42920