CVE-2015-2590: Oracle Java SE and Java SE Embedded Remote Code Execution Vulnerability
First published: Tue Jul 14 2015(Updated: )
An unspecified flaw was found in the Libraries component in OpenJDK. ObjectInputStream's readSerialData() could, in certain cases, incorrectly perform deserialization of data from serialized input. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.6.0-update95 | |
| Oracle JDK | =1.7.0-update75 | |
| Oracle JDK | =1.7.0-update80 | |
| Oracle JDK | =1.8.0-update_33 | |
| Oracle JDK | =1.8.0-update45 | |
| Oracle JRE | =1.6.0-update_95 | |
| Oracle JRE | =1.7.0-update_75 | |
| Oracle JRE | =1.7.0-update_80 | |
| Oracle JRE | =1.8.0-update_33 | |
| Oracle JRE | =1.8.0-update_45 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =15.04 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| SUSE Linux Enterprise Debuginfo | =11-sp3 | |
| SUSE Linux Enterprise Debuginfo | =11-sp4 | |
| openSUSE openSUSE | =13.1 | |
| openSUSE openSUSE | =13.2 | |
| SUSE Linux Enterprise Desktop | =11-sp3 | |
| SUSE Linux Enterprise Desktop | =11-sp4 | |
| SUSE Linux Enterprise Desktop | =12 | |
| SUSE Linux Enterprise Server | =12 | |
| Redhat Satellite | =5.6 | |
| Redhat Satellite | =5.7 | |
| Redhat Enterprise Linux Desktop | =5.0 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Eus | =6.6 | |
| Redhat Enterprise Linux Eus | =6.7 | |
| Redhat Enterprise Linux Eus | =7.1 | |
| Redhat Enterprise Linux Eus | =7.2 | |
| Redhat Enterprise Linux Eus | =7.3 | |
| Redhat Enterprise Linux Eus | =7.4 | |
| Redhat Enterprise Linux Eus | =7.5 | |
| Redhat Enterprise Linux For Ibm Z Systems | =6.0_s390x | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =6.7_s390x | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =7.1_s390x | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =7.2_s390x | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =7.3_s390x | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =7.4_s390x | |
| Redhat Enterprise Linux For Ibm Z Systems Eus | =7.5_s390x | |
| Redhat Enterprise Linux For Power Big Endian | =6.0_ppc64 | |
| Redhat Enterprise Linux For Power Big Endian | =7.0_ppc64 | |
| Redhat Enterprise Linux For Power Big Endian Eus | =6.7_ppc64 | |
| Redhat Enterprise Linux For Power Big Endian Eus | =7.1_ppc64 | |
| Redhat Enterprise Linux For Power Big Endian Eus | =7.2_ppc64 | |
| Redhat Enterprise Linux For Power Big Endian Eus | =7.3_ppc64 | |
| Redhat Enterprise Linux For Power Big Endian Eus | =7.4_ppc64 | |
| Redhat Enterprise Linux For Power Big Endian Eus | =7.5_ppc64 | |
| Redhat Enterprise Linux For Power Little Endian | =7.0_ppc64le | |
| Redhat Enterprise Linux For Power Little Endian Eus | =7.1_ppc64le | |
| Redhat Enterprise Linux For Power Little Endian Eus | =7.2_ppc64le | |
| Redhat Enterprise Linux For Power Little Endian Eus | =7.3_ppc64le | |
| Redhat Enterprise Linux For Power Little Endian Eus | =7.4_ppc64le | |
| Redhat Enterprise Linux For Power Little Endian Eus | =7.5_ppc64le | |
| Redhat Enterprise Linux Server | =5.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =6.6 | |
| Redhat Enterprise Linux Server Aus | =7.3 | |
| Redhat Enterprise Linux Server Aus | =7.4 | |
| Redhat Enterprise Linux Server Aus | =7.6 | |
| Redhat Enterprise Linux Server Aus | =7.7 | |
| Redhat Enterprise Linux Server Tus | =6.6 | |
| Redhat Enterprise Linux Server Tus | =7.3 | |
| Redhat Enterprise Linux Server Tus | =7.6 | |
| Redhat Enterprise Linux Server Tus | =7.7 | |
| Redhat Enterprise Linux Workstation | =5.0 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| debian/openjdk-8 | 8u422-b05-1 | |
| Oracle Java SE |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
- http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-trend-micro-discovers-new-java-zero-day-exploit/
- http://blog.trendmicro.com/trendlabs-security-intelligence/oracle-patches-java-zero-day-used-in-operation-pawn-storm/
- https://rhn.redhat.com/errata/RHSA-2015-1230.html
- https://blogs.oracle.com/security/entry/july_2015_critical_patch_update
- https://rhn.redhat.com/errata/RHSA-2015-1229.html
- https://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/7e8459e7a45c
- https://rhn.redhat.com/errata/RHSA-2015-1243.html
- https://rhn.redhat.com/errata/RHSA-2015-1242.html
- https://rhn.redhat.com/errata/RHSA-2015-1241.html
- https://rhn.redhat.com/errata/RHSA-2015-1486.html
- https://rhn.redhat.com/errata/RHSA-2015-1485.html
- https://rhn.redhat.com/errata/RHSA-2015-1488.html
- https://rhn.redhat.com/errata/RHSA-2015-1526.html
- https://rhn.redhat.com/errata/RHSA-2015-1544.html
- https://rhn.redhat.com/errata/RHSA-2015-1604.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1243139
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html
- http://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://rhn.redhat.com/errata/RHSA-2015-1229.html
- http://rhn.redhat.com/errata/RHSA-2015-1230.html
- http://rhn.redhat.com/errata/RHSA-2015-1241.html
- http://rhn.redhat.com/errata/RHSA-2015-1242.html
- http://rhn.redhat.com/errata/RHSA-2015-1243.html
- http://rhn.redhat.com/errata/RHSA-2015-1485.html
- http://rhn.redhat.com/errata/RHSA-2015-1486.html
- http://rhn.redhat.com/errata/RHSA-2015-1488.html
- http://rhn.redhat.com/errata/RHSA-2015-1526.html
- http://rhn.redhat.com/errata/RHSA-2015-1544.html
- http://rhn.redhat.com/errata/RHSA-2015-1604.html
- http://www.debian.org/security/2015/dsa-3316
- http://www.debian.org/security/2015/dsa-3339
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/75818
- http://www.securitytracker.com/id/1032910
- http://www.ubuntu.com/usn/USN-2696-1
- http://www.ubuntu.com/usn/USN-2706-1
- https://security.gentoo.org/glsa/201603-11
- https://security.gentoo.org/glsa/201603-14
- https://launchpad.net/bugs/cve/CVE-2015-2590
- https://security-tracker.debian.org/tracker/CVE-2015-2590
- https://nvd.nist.gov/vuln/detail/CVE-2015-2590
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590
- https://ubuntu.com/security/CVE-2015-2590
Frequently Asked Questions
What is the severity of CVE-2015-2590?
The severity of CVE-2015-2590 is critical with a severity value of 10.
Which software versions are affected by CVE-2015-2590?
Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 are affected by CVE-2015-2590.
How can remote attackers exploit CVE-2015-2590?
Remote attackers can exploit CVE-2015-2590 to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Where can I find more information about CVE-2015-2590?
You can find more information about CVE-2015-2590 on the Oracle website and the Trend Micro blog.
What is the remedy for CVE-2015-2590?
Apply the patches provided by Oracle and ensure that you are using the latest version of Oracle Java SE or Java SE Embedded.
- collector/redhat-bugzilla
- alias/CVE-2015-2590
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/title
- agent/remedy
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/severity
- collector/nvd-cve
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/softwarecombine
- agent/event
- agent/tags
- collector/usn-cve
- source/Ubuntu
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.6.0-update95
- version/oracle jdk/1.7.0-update75
- version/oracle jdk/1.7.0-update80
- version/oracle jdk/1.8.0-update_33
- version/oracle jdk/1.8.0-update45
- canonical/oracle jre
- version/oracle jre/1.6.0-update_95
- version/oracle jre/1.7.0-update_75
- version/oracle jre/1.7.0-update_80
- version/oracle jre/1.8.0-update_33
- version/oracle jre/1.8.0-update_45
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/15.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- vendor/suse
- canonical/suse linux enterprise debuginfo
- version/suse linux enterprise debuginfo/11-sp3
- version/suse linux enterprise debuginfo/11-sp4
- vendor/opensuse
- canonical/opensuse opensuse
- version/opensuse opensuse/13.1
- version/opensuse opensuse/13.2
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/11-sp3
- version/suse linux enterprise desktop/11-sp4
- version/suse linux enterprise desktop/12
- canonical/suse linux enterprise server
- version/suse linux enterprise server/12
- vendor/redhat
- canonical/redhat satellite
- version/redhat satellite/5.6
- version/redhat satellite/5.7
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/5.0
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/6.6
- version/redhat enterprise linux eus/6.7
- version/redhat enterprise linux eus/7.1
- version/redhat enterprise linux eus/7.2
- version/redhat enterprise linux eus/7.3
- version/redhat enterprise linux eus/7.4
- version/redhat enterprise linux eus/7.5
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/6.0_s390x
- canonical/redhat enterprise linux for ibm z systems eus
- version/redhat enterprise linux for ibm z systems eus/6.7_s390x
- version/redhat enterprise linux for ibm z systems eus/7.1_s390x
- version/redhat enterprise linux for ibm z systems eus/7.2_s390x
- version/redhat enterprise linux for ibm z systems eus/7.3_s390x
- version/redhat enterprise linux for ibm z systems eus/7.4_s390x
- version/redhat enterprise linux for ibm z systems eus/7.5_s390x
- canonical/redhat enterprise linux for power big endian
- version/redhat enterprise linux for power big endian/6.0_ppc64
- version/redhat enterprise linux for power big endian/7.0_ppc64
- canonical/redhat enterprise linux for power big endian eus
- version/redhat enterprise linux for power big endian eus/6.7_ppc64
- version/redhat enterprise linux for power big endian eus/7.1_ppc64
- version/redhat enterprise linux for power big endian eus/7.2_ppc64
- version/redhat enterprise linux for power big endian eus/7.3_ppc64
- version/redhat enterprise linux for power big endian eus/7.4_ppc64
- version/redhat enterprise linux for power big endian eus/7.5_ppc64
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/7.0_ppc64le
- canonical/redhat enterprise linux for power little endian eus
- version/redhat enterprise linux for power little endian eus/7.1_ppc64le
- version/redhat enterprise linux for power little endian eus/7.2_ppc64le
- version/redhat enterprise linux for power little endian eus/7.3_ppc64le
- version/redhat enterprise linux for power little endian eus/7.4_ppc64le
- version/redhat enterprise linux for power little endian eus/7.5_ppc64le
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/5.0
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/6.6
- version/redhat enterprise linux server aus/7.3
- version/redhat enterprise linux server aus/7.4
- version/redhat enterprise linux server aus/7.6
- version/redhat enterprise linux server aus/7.7
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/6.6
- version/redhat enterprise linux server tus/7.3
- version/redhat enterprise linux server tus/7.6
- version/redhat enterprise linux server tus/7.7
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/5.0
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- package-manager/debian
- canonical/oracle java se