CVE-2015-4903
First published: Tue Oct 20 2015(Updated: )
It was discovered that the RemoteObjectInvocationHandler class in the RMI component of OpenJDK did not check if object proxy is an instance of a proxy class and that it uses correct invocation handler. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions by gaining access to data that should by protected by the sandbox.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Java SE 7 | =1.6.0-update101 | |
| Oracle Java SE 7 | =1.7.0-update85 | |
| Oracle Java SE 7 | =1.8.0-update51 | |
| Oracle Java SE 7 | =1.8.0-update60 | |
| Oracle JRE | =1.6.0-update_101 | |
| Oracle JRE | =1.7.0-update_85 | |
| Oracle JRE | =1.8.0-update_51 | |
| Oracle JRE | =1.8.0-update_60 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00008.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00014.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
- http://rhn.redhat.com/errata/RHSA-2015-1919.html
- http://rhn.redhat.com/errata/RHSA-2015-1920.html
- http://rhn.redhat.com/errata/RHSA-2015-1921.html
- http://rhn.redhat.com/errata/RHSA-2015-1926.html
- http://rhn.redhat.com/errata/RHSA-2015-1927.html
- http://rhn.redhat.com/errata/RHSA-2015-1928.html
- http://rhn.redhat.com/errata/RHSA-2015-2506.html
- http://rhn.redhat.com/errata/RHSA-2015-2507.html
- http://rhn.redhat.com/errata/RHSA-2015-2508.html
- http://rhn.redhat.com/errata/RHSA-2015-2509.html
- http://rhn.redhat.com/errata/RHSA-2015-2518.html
- http://www.debian.org/security/2015/dsa-3381
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/77194
- http://www.securitytracker.com/id/1033884
- http://www.ubuntu.com/usn/USN-2784-1
- http://www.ubuntu.com/usn/USN-2827-1
- https://access.redhat.com/errata/RHSA-2016:1430
- https://security.gentoo.org/glsa/201603-11
- https://security.gentoo.org/glsa/201603-14
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2015-1921.html
- https://rhn.redhat.com/errata/RHSA-2015-1920.html
- https://rhn.redhat.com/errata/RHSA-2015-1919.html
- https://rhn.redhat.com/errata/RHSA-2015-1928.html
- https://rhn.redhat.com/errata/RHSA-2015-1926.html
- https://rhn.redhat.com/errata/RHSA-2015-1927.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/cf0cf52d0c6c
- https://rhn.redhat.com/errata/RHSA-2015-2086.html
- https://rhn.redhat.com/errata/RHSA-2015-2508.html
- https://rhn.redhat.com/errata/RHSA-2015-2507.html
- https://rhn.redhat.com/errata/RHSA-2015-2509.html
- https://rhn.redhat.com/errata/RHSA-2015-2506.html
- https://rhn.redhat.com/errata/RHSA-2015-2518.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1273496
Frequently Asked Questions
What is the severity of CVE-2015-4903?
CVE-2015-4903 is rated as a high severity vulnerability due to its potential to allow untrusted applications to bypass security protections.
How do I fix CVE-2015-4903?
To fix CVE-2015-4903, it's recommended to update to a version of the Oracle JDK or JRE that addresses this vulnerability.
What are the affected versions in CVE-2015-4903?
CVE-2015-4903 affects Oracle JDK versions 1.6.0-update101, 1.7.0-update85, and 1.8.0-update51 and update60, along with corresponding JRE versions.
What does CVE-2015-4903 allow an attacker to do?
CVE-2015-4903 could allow an untrusted Java application to bypass Java sandbox restrictions and execute arbitrary code.
Is CVE-2015-4903 a local or remote vulnerability?
CVE-2015-4903 is considered a remote vulnerability as it can be exploited through untrusted applications or applets running over a network.
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-4903
- agent/type
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/author
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/oracle java se 7
- version/oracle java se 7/1.6.0-update101
- version/oracle java se 7/1.7.0-update85
- version/oracle java se 7/1.8.0-update51
- version/oracle java se 7/1.8.0-update60
- canonical/oracle jre
- version/oracle jre/1.6.0-update_101
- version/oracle jre/1.7.0-update_85
- version/oracle jre/1.8.0-update_51
- version/oracle jre/1.8.0-update_60