CVE-2015-4881
First published: Mon Oct 19 2015(Updated: )
It was discovered that the IIOPInputStream class in the CORBA component of OpenJDK failed to properly check object and field types during object deserialization. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Java SE 7 | =1.6.0-update101 | |
| Oracle Java SE 7 | =1.7.0-update85 | |
| Oracle Java SE 7 | =1.8.0-update51 | |
| Oracle Java SE 7 | =1.8.0-update60 | |
| Oracle JRE | =1.6.0-update_101 | |
| Oracle JRE | =1.7.0-update_85 | |
| Oracle JRE | =1.8.0-update_51 | |
| Oracle JRE | =1.8.0-update_60 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2015-1921.html
- https://rhn.redhat.com/errata/RHSA-2015-1920.html
- https://rhn.redhat.com/errata/RHSA-2015-1919.html
- https://rhn.redhat.com/errata/RHSA-2015-1928.html
- https://rhn.redhat.com/errata/RHSA-2015-1926.html
- https://rhn.redhat.com/errata/RHSA-2015-1927.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/corba/rev/d185c856ef85
- https://rhn.redhat.com/errata/RHSA-2015-2086.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1273027
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
- http://rhn.redhat.com/errata/RHSA-2015-1919.html
- http://rhn.redhat.com/errata/RHSA-2015-1920.html
- http://rhn.redhat.com/errata/RHSA-2015-1921.html
- http://rhn.redhat.com/errata/RHSA-2015-1926.html
- http://rhn.redhat.com/errata/RHSA-2015-1927.html
- http://rhn.redhat.com/errata/RHSA-2015-1928.html
- http://www.debian.org/security/2015/dsa-3381
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/77159
- http://www.securitytracker.com/id/1033884
- http://www.ubuntu.com/usn/USN-2784-1
- http://www.ubuntu.com/usn/USN-2827-1
- https://security.gentoo.org/glsa/201603-11
- https://security.gentoo.org/glsa/201603-14
Frequently Asked Questions
What is the severity of CVE-2015-4881?
CVE-2015-4881 has a severity rating that indicates it can lead to serious security vulnerabilities, allowing untrusted applications to bypass security restrictions.
How do I fix CVE-2015-4881?
To mitigate CVE-2015-4881, it is recommended to update to the latest version of Oracle JDK or JRE that addresses this vulnerability.
Which versions of software are affected by CVE-2015-4881?
CVE-2015-4881 affects multiple versions, including Oracle JDK 1.6.0-update101, 1.7.0-update85, and 1.8.0-update51 and 1.8.0-update60.
What type of attack does CVE-2015-4881 facilitate?
CVE-2015-4881 allows an attacker to exploit deserialization flaws, potentially executing untrusted code within the Java environment.
Is CVE-2015-4881 relevant to Java developers?
Yes, CVE-2015-4881 is particularly relevant to Java developers and system administrators who use the affected versions, as it can compromise application security.
- collector/redhat-bugzilla
- alias/CVE-2015-4881
- agent/references
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/remedy
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/oracle java se 7
- version/oracle java se 7/1.6.0-update101
- version/oracle java se 7/1.7.0-update85
- version/oracle java se 7/1.8.0-update51
- version/oracle java se 7/1.8.0-update60
- canonical/oracle jre
- version/oracle jre/1.6.0-update_101
- version/oracle jre/1.7.0-update_85
- version/oracle jre/1.8.0-update_51
- version/oracle jre/1.8.0-update_60