CVE-2015-2590: Oracle Java SE and Java SE Embedded Remote Code Execution Vulnerability
First published: Tue Jul 14 2015(Updated: )
An unspecified flaw was found in the Libraries component in OpenJDK. ObjectInputStream's readSerialData() could, in certain cases, incorrectly perform deserialization of data from serialized input. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openjdk-8 | 8u442-ga-2 | |
| Oracle Java SE 7 | ||
| Oracle Java SE 7 | =1.6.0-update95 | |
| Oracle Java SE 7 | =1.7.0-update75 | |
| Oracle Java SE 7 | =1.7.0-update80 | |
| Oracle Java SE 7 | =1.8.0-update_33 | |
| Oracle Java SE 7 | =1.8.0-update45 | |
| Oracle JRE | =1.6.0-update_95 | |
| Oracle JRE | =1.7.0-update_75 | |
| Oracle JRE | =1.7.0-update_80 | |
| Oracle JRE | =1.8.0-update_33 | |
| Oracle JRE | =1.8.0-update_45 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.04 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 | |
| SUSE Linux Enterprise Debuginfo | =11-sp3 | |
| SUSE Linux Enterprise Debuginfo | =11-sp4 | |
| openSUSE | =13.1 | |
| openSUSE | =13.2 | |
| SUSE Linux Enterprise Desktop | =11-sp3 | |
| SUSE Linux Enterprise Desktop | =11-sp4 | |
| SUSE Linux Enterprise Desktop | =12 | |
| SUSE Linux Enterprise Server | =12 | |
| Red Hat Satellite | =5.6 | |
| Red Hat Satellite | =5.7 | |
| Red Hat Enterprise Linux Desktop | =5.0 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server EUS | =6.6 | |
| Red Hat Enterprise Linux Server EUS | =6.7 | |
| Red Hat Enterprise Linux Server EUS | =7.1 | |
| Red Hat Enterprise Linux Server EUS | =7.2 | |
| Red Hat Enterprise Linux Server EUS | =7.3 | |
| Red Hat Enterprise Linux Server EUS | =7.4 | |
| Red Hat Enterprise Linux Server EUS | =7.5 | |
| Red Hat Enterprise Linux for IBM Z Systems | =6.0_s390x | |
| Red Hat Enterprise Linux for IBM Z Systems (s390x) | =6.7_s390x | |
| Red Hat Enterprise Linux for IBM Z Systems (s390x) | =7.1_s390x | |
| Red Hat Enterprise Linux for IBM Z Systems (s390x) | =7.2_s390x | |
| Red Hat Enterprise Linux for IBM Z Systems (s390x) | =7.3_s390x | |
| Red Hat Enterprise Linux for IBM Z Systems (s390x) | =7.4_s390x | |
| Red Hat Enterprise Linux for IBM Z Systems (s390x) | =7.5_s390x | |
| Red Hat Enterprise Linux for Power, big endian | =6.0_ppc64 | |
| Red Hat Enterprise Linux for Power, big endian | =7.0_ppc64 | |
| Red Hat Enterprise Linux for Power, Big Endian EUS | =6.7_ppc64 | |
| Red Hat Enterprise Linux for Power, Big Endian EUS | =7.1_ppc64 | |
| Red Hat Enterprise Linux for Power, Big Endian EUS | =7.2_ppc64 | |
| Red Hat Enterprise Linux for Power, Big Endian EUS | =7.3_ppc64 | |
| Red Hat Enterprise Linux for Power, Big Endian EUS | =7.4_ppc64 | |
| Red Hat Enterprise Linux for Power, Big Endian EUS | =7.5_ppc64 | |
| Red Hat Enterprise Linux for Power, little endian | =7.0_ppc64le | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =7.1_ppc64le | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =7.2_ppc64le | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =7.3_ppc64le | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =7.4_ppc64le | |
| Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =7.5_ppc64le | |
| Red Hat Enterprise Linux Server | =5.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =6.6 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.7 | |
| Red Hat Enterprise Linux Server | =6.6 | |
| Red Hat Enterprise Linux Server | =7.3 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.7 | |
| Red Hat Enterprise Linux Workstation | =5.0 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
- http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-trend-micro-discovers-new-java-zero-day-exploit/
- http://blog.trendmicro.com/trendlabs-security-intelligence/oracle-patches-java-zero-day-used-in-operation-pawn-storm/
- https://rhn.redhat.com/errata/RHSA-2015-1230.html
- https://blogs.oracle.com/security/entry/july_2015_critical_patch_update
- https://rhn.redhat.com/errata/RHSA-2015-1229.html
- https://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/7e8459e7a45c
- https://rhn.redhat.com/errata/RHSA-2015-1243.html
- https://rhn.redhat.com/errata/RHSA-2015-1242.html
- https://rhn.redhat.com/errata/RHSA-2015-1241.html
- https://rhn.redhat.com/errata/RHSA-2015-1486.html
- https://rhn.redhat.com/errata/RHSA-2015-1485.html
- https://rhn.redhat.com/errata/RHSA-2015-1488.html
- https://rhn.redhat.com/errata/RHSA-2015-1526.html
- https://rhn.redhat.com/errata/RHSA-2015-1544.html
- https://rhn.redhat.com/errata/RHSA-2015-1604.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1243139
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html
- http://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://rhn.redhat.com/errata/RHSA-2015-1229.html
- http://rhn.redhat.com/errata/RHSA-2015-1230.html
- http://rhn.redhat.com/errata/RHSA-2015-1241.html
- http://rhn.redhat.com/errata/RHSA-2015-1242.html
- http://rhn.redhat.com/errata/RHSA-2015-1243.html
- http://rhn.redhat.com/errata/RHSA-2015-1485.html
- http://rhn.redhat.com/errata/RHSA-2015-1486.html
- http://rhn.redhat.com/errata/RHSA-2015-1488.html
- http://rhn.redhat.com/errata/RHSA-2015-1526.html
- http://rhn.redhat.com/errata/RHSA-2015-1544.html
- http://rhn.redhat.com/errata/RHSA-2015-1604.html
- http://www.debian.org/security/2015/dsa-3316
- http://www.debian.org/security/2015/dsa-3339
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/75818
- http://www.securitytracker.com/id/1032910
- http://www.ubuntu.com/usn/USN-2696-1
- http://www.ubuntu.com/usn/USN-2706-1
- https://security.gentoo.org/glsa/201603-11
- https://security.gentoo.org/glsa/201603-14
- https://launchpad.net/bugs/cve/CVE-2015-2590
- https://security-tracker.debian.org/tracker/CVE-2015-2590
- https://nvd.nist.gov/vuln/detail/CVE-2015-2590
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2590
- https://ubuntu.com/security/CVE-2015-2590
Frequently Asked Questions
What is the severity of CVE-2015-2590?
The severity of CVE-2015-2590 is critical with a severity value of 10.
Which software versions are affected by CVE-2015-2590?
Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 are affected by CVE-2015-2590.
How can remote attackers exploit CVE-2015-2590?
Remote attackers can exploit CVE-2015-2590 to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Where can I find more information about CVE-2015-2590?
You can find more information about CVE-2015-2590 on the Oracle website and the Trend Micro blog.
What is the remedy for CVE-2015-2590?
Apply the patches provided by Oracle and ensure that you are using the latest version of Oracle Java SE or Java SE Embedded.
- collector/redhat-bugzilla
- alias/CVE-2015-2590
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/title
- agent/remedy
- agent/author
- agent/severity
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/trending
- agent/source
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/last-modified-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- collector/nvd-index
- package-manager/debian
- vendor/oracle
- canonical/oracle java se 7
- version/oracle java se 7/1.6.0-update95
- version/oracle java se 7/1.7.0-update75
- version/oracle java se 7/1.7.0-update80
- version/oracle java se 7/1.8.0-update_33
- version/oracle java se 7/1.8.0-update45
- canonical/oracle jre
- version/oracle jre/1.6.0-update_95
- version/oracle jre/1.7.0-update_75
- version/oracle jre/1.7.0-update_80
- version/oracle jre/1.8.0-update_33
- version/oracle jre/1.8.0-update_45
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.04
- vendor/debian
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0
- vendor/suse
- canonical/suse linux enterprise debuginfo
- version/suse linux enterprise debuginfo/11-sp3
- version/suse linux enterprise debuginfo/11-sp4
- vendor/opensuse
- canonical/opensuse
- version/opensuse/13.1
- version/opensuse/13.2
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/11-sp3
- version/suse linux enterprise desktop/11-sp4
- version/suse linux enterprise desktop/12
- canonical/suse linux enterprise server
- version/suse linux enterprise server/12
- vendor/redhat
- canonical/red hat satellite
- version/red hat satellite/5.6
- version/red hat satellite/5.7
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/5.0
- version/red hat enterprise linux desktop/6.0
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/6.6
- version/red hat enterprise linux server eus/6.7
- version/red hat enterprise linux server eus/7.1
- version/red hat enterprise linux server eus/7.2
- version/red hat enterprise linux server eus/7.3
- version/red hat enterprise linux server eus/7.4
- version/red hat enterprise linux server eus/7.5
- canonical/red hat enterprise linux for ibm z systems
- version/red hat enterprise linux for ibm z systems/6.0_s390x
- canonical/red hat enterprise linux for ibm z systems (s390x)
- version/red hat enterprise linux for ibm z systems (s390x)/6.7_s390x
- version/red hat enterprise linux for ibm z systems (s390x)/7.1_s390x
- version/red hat enterprise linux for ibm z systems (s390x)/7.2_s390x
- version/red hat enterprise linux for ibm z systems (s390x)/7.3_s390x
- version/red hat enterprise linux for ibm z systems (s390x)/7.4_s390x
- version/red hat enterprise linux for ibm z systems (s390x)/7.5_s390x
- canonical/red hat enterprise linux for power, big endian
- version/red hat enterprise linux for power, big endian/6.0_ppc64
- version/red hat enterprise linux for power, big endian/7.0_ppc64
- canonical/red hat enterprise linux for power, big endian eus
- version/red hat enterprise linux for power, big endian eus/6.7_ppc64
- version/red hat enterprise linux for power, big endian eus/7.1_ppc64
- version/red hat enterprise linux for power, big endian eus/7.2_ppc64
- version/red hat enterprise linux for power, big endian eus/7.3_ppc64
- version/red hat enterprise linux for power, big endian eus/7.4_ppc64
- version/red hat enterprise linux for power, big endian eus/7.5_ppc64
- canonical/red hat enterprise linux for power, little endian
- version/red hat enterprise linux for power, little endian/7.0_ppc64le
- canonical/red hat enterprise linux for power, little endian - extended update support
- version/red hat enterprise linux for power, little endian - extended update support/7.1_ppc64le
- version/red hat enterprise linux for power, little endian - extended update support/7.2_ppc64le
- version/red hat enterprise linux for power, little endian - extended update support/7.3_ppc64le
- version/red hat enterprise linux for power, little endian - extended update support/7.4_ppc64le
- version/red hat enterprise linux for power, little endian - extended update support/7.5_ppc64le
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/5.0
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/6.6
- version/red hat enterprise linux server/7.3
- version/red hat enterprise linux server/7.4
- version/red hat enterprise linux server/7.6
- version/red hat enterprise linux server/7.7
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/5.0
- version/red hat enterprise linux workstation/6.0
- version/red hat enterprise linux workstation/7.0