CVE-2015-4748
First published: Sun Jul 12 2015(Updated: )
A flaw was found in the way the Libraries component of OpenJDK verified OCSP (Online Certificate Status Protocol) response. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity. This could allow a Java application to accept a revoked X.509 certificate as valid if it was presented with an OCSP response generated before certificate revocation.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JRockit | =r28.3.6 | |
| Oracle JDK | =1.6.0-update95 | |
| Oracle JDK | =1.7.0-update75 | |
| Oracle JDK | =1.7.0-update80 | |
| Oracle JDK | =1.8.0-update_33 | |
| Oracle JDK | =1.8.0-update45 | |
| Oracle JRE | =1.6.0-update_95 | |
| Oracle JRE | =1.7.0-update_75 | |
| Oracle JRE | =1.7.0-update_80 | |
| Oracle JRE | =1.8.0-update_33 | |
| Oracle JRE | =1.8.0-update_45 | |
| debian/openjdk-8 | 8u432-b06-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2015-1230.html
- https://rhn.redhat.com/errata/RHSA-2015-1229.html
- https://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/5a49012971bb
- https://rhn.redhat.com/errata/RHSA-2015-1243.html
- https://rhn.redhat.com/errata/RHSA-2015-1242.html
- https://rhn.redhat.com/errata/RHSA-2015-1241.html
- https://rhn.redhat.com/errata/RHSA-2015-1486.html
- https://rhn.redhat.com/errata/RHSA-2015-1485.html
- https://rhn.redhat.com/errata/RHSA-2015-1488.html
- https://rhn.redhat.com/errata/RHSA-2015-1526.html
- https://rhn.redhat.com/errata/RHSA-2015-1544.html
- https://rhn.redhat.com/errata/RHSA-2015-1604.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1242281
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html
- http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html
- http://rhn.redhat.com/errata/RHSA-2015-1228.html
- http://rhn.redhat.com/errata/RHSA-2015-1229.html
- http://rhn.redhat.com/errata/RHSA-2015-1230.html
- http://rhn.redhat.com/errata/RHSA-2015-1241.html
- http://rhn.redhat.com/errata/RHSA-2015-1242.html
- http://rhn.redhat.com/errata/RHSA-2015-1243.html
- http://rhn.redhat.com/errata/RHSA-2015-1485.html
- http://rhn.redhat.com/errata/RHSA-2015-1486.html
- http://rhn.redhat.com/errata/RHSA-2015-1488.html
- http://rhn.redhat.com/errata/RHSA-2015-1526.html
- http://rhn.redhat.com/errata/RHSA-2015-1544.html
- http://rhn.redhat.com/errata/RHSA-2015-1604.html
- http://www.debian.org/security/2015/dsa-3316
- http://www.debian.org/security/2015/dsa-3339
- http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
- http://www.securityfocus.com/bid/75854
- http://www.securitytracker.com/id/1032910
- http://www.securitytracker.com/id/1037732
- http://www.ubuntu.com/usn/USN-2696-1
- http://www.ubuntu.com/usn/USN-2706-1
- https://kc.mcafee.com/corporate/index?page=content&id=SB10139
- https://security.gentoo.org/glsa/201603-11
- https://security.gentoo.org/glsa/201603-14
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727
- https://kc.mcafee.com/corporate/index?page=content&id=SB10139
- https://launchpad.net/bugs/cve/CVE-2015-4748
- https://security-tracker.debian.org/tracker/CVE-2015-4748
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4748
- https://nvd.nist.gov/vuln/detail/CVE-2015-4748
- https://ubuntu.com/security/CVE-2015-4748
Frequently Asked Questions
What is the vulnerability ID of this Oracle Java SE vulnerability?
The vulnerability ID is CVE-2015-4748.
What is the severity rating of CVE-2015-4748?
The severity rating of CVE-2015-4748 is 7.6 (high).
Which versions of Oracle Java SE are affected by CVE-2015-4748?
Oracle Java SE 6u95, 7u80, and 8u45 are affected by CVE-2015-4748.
How can CVE-2015-4748 affect a system?
CVE-2015-4748 can affect confidentiality, integrity, and availability of a system.
Where can I find more information about CVE-2015-4748?
You can find more information about CVE-2015-4748 on the official Oracle website and the Red Hat website.
- collector/redhat-bugzilla
- alias/CVE-2015-4748
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/description
- agent/severity
- agent/remedy
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/oracle
- canonical/oracle jrockit
- version/oracle jrockit/r28.3.6
- canonical/oracle jdk
- version/oracle jdk/1.6.0-update95
- version/oracle jdk/1.7.0-update75
- version/oracle jdk/1.7.0-update80
- version/oracle jdk/1.8.0-update_33
- version/oracle jdk/1.8.0-update45
- canonical/oracle jre
- version/oracle jre/1.6.0-update_95
- version/oracle jre/1.7.0-update_75
- version/oracle jre/1.7.0-update_80
- version/oracle jre/1.8.0-update_33
- version/oracle jre/1.8.0-update_45
- package-manager/debian