First published: Sat Apr 14 2018(Updated: )
It was discovered that the implementation of the StubIORImpl class in the Serialization component of OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized.
Credit: secalert_us@oracle.com secalert_us@oracle.com secalert_us@oracle.com
Affected Software | Affected Version | How to fix |
---|---|---|
debian/openjdk-8 | 8u432-b06-2 | |
Oracle JDK 6 | =1.6.0-update181 | |
Oracle JDK 6 | =1.7.0-update171 | |
Oracle JDK 6 | =1.8.0-update162 | |
Oracle JDK 6 | =10 | |
Oracle Java Runtime Environment (JRE) | =1.6.0-update181 | |
Oracle Java Runtime Environment (JRE) | =1.7.0-update171 | |
Oracle Java Runtime Environment (JRE) | =1.8.0-update162 | |
Oracle Java Runtime Environment (JRE) | =10 | |
BEA JRockit | =r28.3.17 | |
redhat enterprise Linux desktop | =6.0 | |
redhat enterprise Linux desktop | =7.0 | |
redhat enterprise Linux server | =6.0 | |
redhat enterprise Linux server | =7.0 | |
redhat enterprise Linux server aus | =7.6 | |
redhat enterprise Linux server eus | =7.5 | |
redhat enterprise Linux server eus | =7.6 | |
redhat enterprise Linux server tus | =7.6 | |
redhat enterprise Linux workstation | =6.0 | |
redhat enterprise Linux workstation | =7.0 | |
Debian | =8.0 | |
Debian | =9.0 | |
Ubuntu | =14.04 | |
Ubuntu | =16.04 | |
Ubuntu | =17.10 | |
Schneider Electric EcoStruxure Data Center Expert | <7.6.0 | |
HP P9000 Command View Advanced Edition Software | ||
Oracle JDK 6 | =1.10.0 | |
Oracle Java Runtime Environment (JRE) | =1.10.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2018-2815 is medium with a CVSS score of 5.3.
Java SE versions 6u181, 7u171, 8u162, and 10 are affected by CVE-2018-2815.
The Serialization component of Oracle Java SE is vulnerable in CVE-2018-2815.
CVE-2018-2815 can be exploited by an unauthenticated attacker.
You can find more information about CVE-2018-2815 on the Oracle website and other security advisories.