Login Sign Up

CVE-2021-41035

9.8 CRITICAL

📋 TL;DR

This vulnerability in Eclipse Openj9 allows attackers to bypass Java access controls by using MethodHandles to invoke interface methods that should be inaccessible. This affects applications running on vulnerable Openj9 JVM versions, potentially enabling privilege escalation or code execution.

💻 Affected Systems

Products:
  • Eclipse Openj9
Versions: All versions before 0.29.0
Operating Systems: All platforms running Openj9
Default Config Vulnerable: ⚠️ Yes
Notes: Affects any Java application running on vulnerable Openj9 JVM versions.

📦 What is this software?

Openj9 by Eclipse

View all CVEs affecting Openj9 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution, privilege escalation, or bypassing security sandboxes in Java applications.

🟠

Likely Case

Application-level privilege escalation allowing attackers to access restricted data or functionality within vulnerable Java applications.

🟢

If Mitigated

Limited impact if applications don't use MethodHandles extensively or have additional security layers.

🌐 Internet-Facing: HIGH - Web applications using vulnerable Openj9 could be exploited remotely.
🏢 Internal Only: HIGH - Internal applications could be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of Java MethodHandles and access control mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.29.0 and later

Vendor Advisory: https://bugs.eclipse.org/bugs/show_bug.cgi?id=576395

Restart Required: Yes

Instructions:

1. Download Openj9 version 0.29.0 or later. 2. Replace existing Openj9 JVM with patched version. 3. Restart all Java applications using the updated JVM.

🔧 Temporary Workarounds

Disable MethodHandles usage

all

Restrict or monitor usage of MethodHandles in application code

No direct commands - requires code review and modification

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable systems
  • Deploy runtime application security protection (RASP) to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Openj9 version: java -version should show Openj9 version. If version is below 0.29.0, system is vulnerable.

Check Version:

java -version | grep -i openj9

Verify Fix Applied:

After patching, verify java -version shows Openj9 0.29.0 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Unusual MethodHandles usage patterns
  • SecurityManager access violation logs
  • IllegalAccessError exceptions

Network Indicators:

  • Unusual outbound connections from Java processes
  • Suspicious network traffic patterns

SIEM Query:

source="java.log" AND ("MethodHandles" OR "IllegalAccessError")

📊 Metadata

CVE ID: CVE-2021-41035
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-250
Published: October 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41035, you might also want to check these:

CVE-2022-1517 10.0

CVE-2022-1517 is a critical vulnerability in LRM (likely a network management system) that allows un...

Same vulnerability type (CWE-250)
CVE-2025-32445 9.9

This CVE allows authenticated users with EventSource/Sensor CRUD permissions in Argo Events to escal...

Same vulnerability type (CWE-250)
CVE-2024-8767 9.9

This CVE allows attackers to access and manipulate sensitive data due to excessive privileges assign...

Same vulnerability type (CWE-250)