{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-2900", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2025-03-28T02:06:38.367Z", "datePublished": "2025-05-14T18:50:27.327Z", "dateUpdated": "2025-08-28T14:12:21.020Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:ibm:semeru_runtime:8.0.302.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:8.0.442.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:11.0.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:11.0.26.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:17.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:17.0.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:21.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:21.0.6.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "Semeru Runtime", "vendor": "IBM", "versions": [{"lessThanOrEqual": "8.0.442.0", "status": "affected", "version": "8.0.302.0", "versionType": "semver"}, {"lessThanOrEqual": "11.0.26.0", "status": "affected", "version": "11.0.12.0", "versionType": "semver"}, {"lessThanOrEqual": "17.0.14.0", "status": "affected", "version": "17.0.0.0", "versionType": "semver"}, {"lessThanOrEqual": "21.0.6.0", "status": "affected", "version": "21.0.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation."}], "value": "IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2025-08-28T14:12:21.020Z"}, "references": [{"tags": ["vendor-advisory", "patch"], "url": "https://www.ibm.com/support/pages/node/7233415"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Remediation/Fixes<br><br>8.0.452.0<br>11.0.27.0<br>17.0.15.0<br>21.0.7.0<br><br>IBM Semeru Runtime releases can be downloaded from the GitHub repositories for Semeru 8, Semeru 11, Semeru 17, and Semeru 21 and from the IBM Semeru Developer Center.<br><br>IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.<br>"}], "value": "Remediation/Fixes\n\n8.0.452.0\n11.0.27.0\n17.0.15.0\n21.0.7.0\n\nIBM Semeru Runtime releases can be downloaded from the GitHub repositories for Semeru 8, Semeru 11, Semeru 17, and Semeru 21 and from the IBM Semeru Developer Center.\n\nIBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin."}], "source": {"discovery": "UNKNOWN"}, "title": "IBM Semeru Runtime denial of service", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-14T19:42:43.060744Z", "id": "CVE-2025-2900", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T19:43:19.127Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-2900", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-14T19:42:43.060744Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-14T19:43:15.914Z"}}], "cna": {"title": "IBM Semeru Runtime denial of service", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:ibm:semeru_runtime:8.0.302.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:8.0.442.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:11.0.12.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:11.0.26.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:17.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:17.0.14.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:21.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:semeru_runtime:21.0.6.0:*:*:*:*:*:*:*"], "vendor": "IBM", "product": "Semeru Runtime", "versions": [{"status": "affected", "version": "8.0.302.0", "versionType": "semver", "lessThanOrEqual": "8.0.442.0"}, {"status": "affected", "version": "11.0.12.0", "versionType": "semver", "lessThanOrEqual": "11.0.26.0"}, {"status": "affected", "version": "17.0.0.0", "versionType": "semver", "lessThanOrEqual": "17.0.14.0"}, {"status": "affected", "version": "21.0.0.0", "versionType": "semver", "lessThanOrEqual": "21.0.6.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Remediation/Fixes\n\n8.0.452.0\n11.0.27.0\n17.0.15.0\n21.0.7.0\n\nIBM Semeru Runtime releases can be downloaded from the GitHub repositories for Semeru 8, Semeru 11, Semeru 17, and Semeru 21 and from the IBM Semeru Developer Center.\n\nIBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.", "supportingMedia": [{"type": "text/html", "value": "Remediation/Fixes<br><br>8.0.452.0<br>11.0.27.0<br>17.0.15.0<br>21.0.7.0<br><br>IBM Semeru Runtime releases can be downloaded from the GitHub repositories for Semeru 8, Semeru 11, Semeru 17, and Semeru 21 and from the IBM Semeru Developer Center.<br><br>IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.<br>", "base64": false}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7233415", "tags": ["vendor-advisory", "patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation.", "supportingMedia": [{"type": "text/html", "value": "IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2025-08-28T14:12:21.020Z"}}}, "cveMetadata": {"cveId": "CVE-2025-2900", "state": "PUBLISHED", "dateUpdated": "2025-08-28T14:12:21.020Z", "dateReserved": "2025-03-28T02:06:38.367Z", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "datePublished": "2025-05-14T18:50:27.327Z", "assignerShortName": "ibm"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:semeru_runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7BBE52B-E146-4F12-A1C6-9E52E25E0F47", "versionEndIncluding": "8.0.442.0", "versionStartIncluding": "8.0.302.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:semeru_runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "AB568CA3-4FEC-44AC-9561-012F8801F234", "versionEndIncluding": "11.026.0", "versionStartIncluding": "11.0.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:semeru_runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5D9E8D4-0E2B-47F9-896E-4A9CF7E4BC8C", "versionEndIncluding": "17.0.14.0", "versionStartIncluding": "17.0.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:semeru_runtime:*:*:*:*:*:*:*:*", "matchCriteriaId": "988591A6-8853-4B4B-A936-275366455364", "versionEndIncluding": "21.0.6.0", "versionStartIncluding": "21.0.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation."}, {"lang": "es", "value": "IBM Semeru Runtime 8.0.302.0 a 8.0.442.0, 11.0.12.0 a 11.0.26.0, 17.0.0.0 a 17.0.14.0 y 21.0.0.0 a 12.0.6.0 es vulnerable a una denegaci\u00f3n de servicio causada por un desbordamiento de b\u00fafer y un bloqueo posterior, debido a un defecto en su implementaci\u00f3n de cifrado AES/CBC nativa."}], "id": "CVE-2025-2900", "lastModified": "2025-08-19T19:14:18.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "psirt@us.ibm.com", "type": "Primary"}]}, "published": "2025-05-14T19:15:52.690", "references": [{"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/7233415"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "psirt@us.ibm.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:8063", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "java-21-ibm-semeru-certified-jdk-1:21.0.7.0.6-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-21T00:00:00Z"}], "bugzilla": {"description": "ibm-semeru: IBM Semeru Runtime denial of service", "id": "2366318", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366318"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-122", "details": ["IBM Semeru Runtime 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0 is vulnerable to a denial of service caused by a buffer overflow and subsequent crash, due to a defect in its native AES/CBC encryption implementation.", "A flaw was found in IBM Semeru Runtime. This vulnerability allows a denial of service via a crafted AES/CBC encrypted input."], "name": "CVE-2025-2900", "public_date": "2025-05-14T18:50:27Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-2900\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-2900\nhttps://www.ibm.com/support/pages/apar/IJ54115\nhttps://www.ibm.com/support/pages/node/7233415"], "statement": "This vulnerability is rated as an important severity because a denial of service vulnerability was found in IBM Semeru Runtime in its native AES/CBC encryption implementation, this is a heap-based buffer overflow caused by a defect, which can lead to a subsequent crash. This issue results in a denial of service, significantly impacting the availability of the runtime.", "threat_severity": "Important"}