CVE-2015-4733
First published: Sun Jul 12 2015(Updated: )
It was discovered that the RemoteObjectInvocationHandler class in the RMI component of OpenJDK did not prevent calls to the finalize() method. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. The patch prevents calls of the finalize() method. It also makes it possible to re-enable support for calling the method via the sun.rmi.server.invocationhandler.allowFinalizeInvocation system property.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.6.0-update95 | |
| Oracle JDK | =1.7.0-update75 | |
| Oracle JDK | =1.7.0-update80 | |
| Oracle JDK | =1.8.0-update_33 | |
| Oracle JDK | =1.8.0-update45 | |
| Oracle JRE | =1.6.0-update_95 | |
| Oracle JRE | =1.7.0-update_75 | |
| Oracle JRE | =1.7.0-update_80 | |
| Oracle JRE | =1.8.0-update_33 | |
| Oracle JRE | =1.8.0-update_45 | |
| debian/openjdk-8 | 8u432-b06-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2015-1230.html
- https://rhn.redhat.com/errata/RHSA-2015-1229.html
- https://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/27beb7ba8b16
- https://rhn.redhat.com/errata/RHSA-2015-1243.html
- https://rhn.redhat.com/errata/RHSA-2015-1242.html
- https://rhn.redhat.com/errata/RHSA-2015-1241.html
- https://rhn.redhat.com/errata/RHSA-2015-1486.html
- https://rhn.redhat.com/errata/RHSA-2015-1485.html
- https://rhn.redhat.com/errata/RHSA-2015-1488.html
- https://rhn.redhat.com/errata/RHSA-2015-1526.html
- https://rhn.redhat.com/errata/RHSA-2015-1544.html
- https://rhn.redhat.com/errata/RHSA-2015-1604.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1242275
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html
- http://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://rhn.redhat.com/errata/RHSA-2015-1229.html
- http://rhn.redhat.com/errata/RHSA-2015-1230.html
- http://rhn.redhat.com/errata/RHSA-2015-1241.html
- http://rhn.redhat.com/errata/RHSA-2015-1242.html
- http://rhn.redhat.com/errata/RHSA-2015-1243.html
- http://rhn.redhat.com/errata/RHSA-2015-1485.html
- http://rhn.redhat.com/errata/RHSA-2015-1486.html
- http://rhn.redhat.com/errata/RHSA-2015-1488.html
- http://rhn.redhat.com/errata/RHSA-2015-1526.html
- http://rhn.redhat.com/errata/RHSA-2015-1544.html
- http://rhn.redhat.com/errata/RHSA-2015-1604.html
- http://www.debian.org/security/2015/dsa-3316
- http://www.debian.org/security/2015/dsa-3339
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/75832
- http://www.securitytracker.com/id/1032910
- http://www.ubuntu.com/usn/USN-2696-1
- http://www.ubuntu.com/usn/USN-2706-1
- https://security.gentoo.org/glsa/201603-11
- https://security.gentoo.org/glsa/201603-14
- https://launchpad.net/bugs/cve/CVE-2015-4733
- https://security-tracker.debian.org/tracker/CVE-2015-4733
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4733
- https://nvd.nist.gov/vuln/detail/CVE-2015-4733
- https://ubuntu.com/security/CVE-2015-4733
Frequently Asked Questions
What is the severity of CVE-2015-4733?
The severity of CVE-2015-4733 is critical.
How does CVE-2015-4733 affect Oracle Java SE?
CVE-2015-4733 affects Oracle Java SE versions 6u95, 7u80, and 8u45, as well as Java SE Embedded versions 7u75 and 8u33.
What is the impact of CVE-2015-4733?
CVE-2015-4733 can affect confidentiality, integrity, and availability of the system.
How can I mitigate the vulnerability in Oracle Java SE?
To mitigate the vulnerability in Oracle Java SE, it is recommended to apply the relevant security updates provided by Oracle or the respective Linux distributions.
Where can I find more information about CVE-2015-4733?
For more information about CVE-2015-4733, you can refer to the Oracle Security Advisory and the Red Hat Security Advisories linked in the references section.
- collector/redhat-bugzilla
- alias/CVE-2015-4733
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/severity
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/description
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.6.0-update95
- version/oracle jdk/1.7.0-update75
- version/oracle jdk/1.7.0-update80
- version/oracle jdk/1.8.0-update_33
- version/oracle jdk/1.8.0-update45
- canonical/oracle jre
- version/oracle jre/1.6.0-update_95
- version/oracle jre/1.7.0-update_75
- version/oracle jre/1.7.0-update_80
- version/oracle jre/1.8.0-update_33
- version/oracle jre/1.8.0-update_45
- package-manager/debian