CVE-2015-2628
First published: Sun Jul 12 2015(Updated: )
It was discovered that the IIOPInputStream class in the CORBA component in OpenJDK failed to properly check object field types. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.6.0-update95 | |
| Oracle JDK | =1.7.0-update75 | |
| Oracle JDK | =1.7.0-update80 | |
| Oracle JDK | =1.8.0-update_33 | |
| Oracle JDK | =1.8.0-update45 | |
| Oracle JRE | =1.6.0-update_95 | |
| Oracle JRE | =1.7.0-update_75 | |
| Oracle JRE | =1.7.0-update_80 | |
| Oracle JRE | =1.8.0-update_33 | |
| Oracle JRE | =1.8.0-update_45 | |
| debian/openjdk-8 | 8u432-b06-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2015-1230.html
- https://rhn.redhat.com/errata/RHSA-2015-1229.html
- https://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/corba/rev/0011162b38bf
- https://rhn.redhat.com/errata/RHSA-2015-1243.html
- https://rhn.redhat.com/errata/RHSA-2015-1242.html
- https://rhn.redhat.com/errata/RHSA-2015-1241.html
- https://rhn.redhat.com/errata/RHSA-2015-1526.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1242232
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html
- http://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://rhn.redhat.com/errata/RHSA-2015-1229.html
- http://rhn.redhat.com/errata/RHSA-2015-1230.html
- http://rhn.redhat.com/errata/RHSA-2015-1241.html
- http://rhn.redhat.com/errata/RHSA-2015-1242.html
- http://rhn.redhat.com/errata/RHSA-2015-1243.html
- http://rhn.redhat.com/errata/RHSA-2015-1526.html
- http://www.debian.org/security/2015/dsa-3316
- http://www.debian.org/security/2015/dsa-3339
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/75796
- http://www.securitytracker.com/id/1032910
- http://www.ubuntu.com/usn/USN-2696-1
- http://www.ubuntu.com/usn/USN-2706-1
- https://security.gentoo.org/glsa/201603-11
- https://security.gentoo.org/glsa/201603-14
- https://launchpad.net/bugs/cve/CVE-2015-2628
- https://security-tracker.debian.org/tracker/CVE-2015-2628
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2628
- https://nvd.nist.gov/vuln/detail/CVE-2015-2628
- https://ubuntu.com/security/CVE-2015-2628
Frequently Asked Questions
What is the severity of CVE-2015-2628?
The severity of CVE-2015-2628 is critical with a severity value of 10.
Which software versions are affected by CVE-2015-2628?
Oracle Java SE 6u95, 7u80, and 8u45, as well as Java SE Embedded 7u75 and 8u33 are affected.
How can remote attackers exploit CVE-2015-2628?
Remote attackers can exploit CVE-2015-2628 through vectors related to CORBA.
What are the remediation options for CVE-2015-2628 on Ubuntu?
You can remedy CVE-2015-2628 on Ubuntu by updating to OpenJDK 6u96, 7u85, or 8u51.
What are the reference links for CVE-2015-2628?
You can find the reference links for CVE-2015-2628 [here](http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA) and [here](https://rhn.redhat.com/errata/RHSA-2015-1230.html).
- collector/redhat-bugzilla
- alias/CVE-2015-2628
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/description
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.6.0-update95
- version/oracle jdk/1.7.0-update75
- version/oracle jdk/1.7.0-update80
- version/oracle jdk/1.8.0-update_33
- version/oracle jdk/1.8.0-update45
- canonical/oracle jre
- version/oracle jre/1.6.0-update_95
- version/oracle jre/1.7.0-update_75
- version/oracle jre/1.7.0-update_80
- version/oracle jre/1.8.0-update_33
- version/oracle jre/1.8.0-update_45
- package-manager/debian