CVE-2025-2900 – A buffer overflow vulnerability in IBM Semeru R... (How to Fix)

Q: What is the severity of CVE-2025-2900?

CVE-2025-2900 has a CVSS score of 7.5 (HIGH). A buffer overflow vulnerability in IBM Semeru Runtime's native AES/CBC encryption implementation allows attackers to cause denial of service through application crashes. This affects all systems running vulnerable versions of IBM Semeru Runtime 8, 11, 17, and 21. The vulnerability is triggered when processing specific encryption operations.

📋 TL;DR

A buffer overflow vulnerability in IBM Semeru Runtime's native AES/CBC encryption implementation allows attackers to cause denial of service through application crashes. This affects all systems running vulnerable versions of IBM Semeru Runtime 8, 11, 17, and 21. The vulnerability is triggered when processing specific encryption operations.

💻 Affected Systems

Products:

IBM Semeru Runtime

Versions: 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0

Operating Systems: All platforms supported by IBM Semeru Runtime

Default Config Vulnerable: ⚠️ Yes

Notes: All systems using vulnerable versions with AES/CBC encryption functionality are affected. The vulnerability is in the native implementation, not dependent on specific configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through application crashes, potentially affecting multiple applications sharing the runtime environment.

🟠

Likely Case

Application instability and crashes when processing AES/CBC encryption operations, leading to service interruptions.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, though crashes may still occur if exploited.

🌐 Internet-Facing: MEDIUM - Exploitation requires triggering the vulnerable encryption function, which may be exposed through various application interfaces.

🏢 Internal Only: MEDIUM - Internal applications using AES/CBC encryption could be targeted, potentially affecting business operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering the vulnerable AES/CBC encryption function, which may require specific application functionality or crafted inputs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 8.0.442.0, 11.0.26.0, 17.0.14.0, and 12.0.6.0

Vendor Advisory: https://www.ibm.com/support/pages/node/7233415

Restart Required: Yes

Instructions:

1. Review IBM advisory for specific fixed versions. 2. Download and install updated IBM Semeru Runtime. 3. Restart all applications using the runtime. 4. Verify applications function correctly post-update.

🔧 Temporary Workarounds

Disable AES/CBC encryption

all

If possible, disable or avoid using AES/CBC encryption in applications until patched.

Application-specific configuration changes required

Network segmentation

all

Restrict network access to applications using vulnerable runtime to reduce attack surface.

firewall rules and network ACLs implementation required

🧯 If You Can't Patch

Implement strict input validation for encryption-related functions
Monitor application logs for crash patterns and implement automated restart mechanisms

🔍 How to Verify

Check if Vulnerable:

Check IBM Semeru Runtime version using 'java -version' command and compare against affected version ranges.

Check Version:

java -version 2>&1 | grep -i 'semeru'

Verify Fix Applied:

Verify installed version is above the affected ranges: 8.0.442.0, 11.0.26.0, 17.0.14.0, and 12.0.6.0.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Stack overflow errors in runtime logs
Abnormal termination of Java applications

Network Indicators:

Unusual patterns of encryption-related requests
Multiple failed encryption operations

SIEM Query:

source="application.logs" AND ("segmentation fault" OR "buffer overflow" OR "SIGSEGV") AND process="java"

📊 Metadata

CVE ID: CVE-2025-2900

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-122

EPSS Score: 0.05% exploit probability (15.2th percentile)

Published: May 14, 2025

Last Updated: August 19, 2025

🔗 References

https://www.ibm.com/support/pages/node/7233415 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2900, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Semeru Runtime by Ibm

Semeru Runtime by Ibm

Semeru Runtime by Ibm

Semeru Runtime by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable AES/CBC encryption

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities