CVE-2014-7911
First published: Mon Dec 15 2014(Updated: )
luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291.
Credit: cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Android | <=4.4.4 | |
| Android | =1.0 | |
| Android | =1.1 | |
| Android | =1.5 | |
| Android | =1.6 | |
| Android | =2.0 | |
| Android | =2.0.1 | |
| Android | =2.1 | |
| Android | =2.2 | |
| Android | =2.2-rev1 | |
| Android | =2.2.1 | |
| Android | =2.2.2 | |
| Android | =2.2.3 | |
| Android | =2.3 | |
| Android | =2.3-rev1 | |
| Android | =2.3.1 | |
| Android | =2.3.2 | |
| Android | =2.3.3 | |
| Android | =2.3.4 | |
| Android | =2.3.5 | |
| Android | =2.3.6 | |
| Android | =2.3.7 | |
| Android | =3.0 | |
| Android | =3.1 | |
| Android | =3.2 | |
| Android | =3.2.1 | |
| Android | =3.2.2 | |
| Android | =3.2.4 | |
| Android | =3.2.6 | |
| Android | =4.0 | |
| Android | =4.0.1 | |
| Android | =4.0.2 | |
| Android | =4.0.3 | |
| Android | =4.0.4 | |
| Android | =4.1 | |
| Android | =4.1.2 | |
| Android | =4.2 | |
| Android | =4.2.1 | |
| Android | =4.2.2 | |
| Android | =4.3 | |
| Android | =4.3.1 | |
| Android | =4.4 | |
| Android | =4.4.1 | |
| Android | =4.4.2 | |
| Android | =4.4.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2014-7911?
CVE-2014-7911 has a high severity rating due to its potential to allow remote code execution.
How do I fix CVE-2014-7911?
To fix CVE-2014-7911, ensure that your Android device is updated to version 5.0.0 or greater.
What systems are affected by CVE-2014-7911?
CVE-2014-7911 affects Android versions prior to 5.0.0, including all versions from 1.0 up to 4.4.4.
What type of vulnerability is CVE-2014-7911?
CVE-2014-7911 is a deserialization vulnerability in the java.io.ObjectInputStream implementation.
Can CVE-2014-7911 be exploited remotely?
Yes, CVE-2014-7911 can be exploited remotely by attackers using specially crafted data.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/google
- canonical/android
- version/android/4.4.4
- version/android/1.0
- version/android/1.1
- version/android/1.5
- version/android/1.6
- version/android/2.0
- version/android/2.0.1
- version/android/2.1
- version/android/2.2
- version/android/2.2-rev1
- version/android/2.2.1
- version/android/2.2.2
- version/android/2.2.3
- version/android/2.3
- version/android/2.3-rev1
- version/android/2.3.1
- version/android/2.3.2
- version/android/2.3.3
- version/android/2.3.4
- version/android/2.3.5
- version/android/2.3.6
- version/android/2.3.7
- version/android/3.0
- version/android/3.1
- version/android/3.2
- version/android/3.2.1
- version/android/3.2.2
- version/android/3.2.4
- version/android/3.2.6
- version/android/4.0
- version/android/4.0.1
- version/android/4.0.2
- version/android/4.0.3
- version/android/4.0.4
- version/android/4.1
- version/android/4.1.2
- version/android/4.2
- version/android/4.2.1
- version/android/4.2.2
- version/android/4.3
- version/android/4.3.1
- version/android/4.4
- version/android/4.4.1
- version/android/4.4.2
- version/android/4.4.3