#VU5588 Security bypass in Oracle Java SE - CVE-2015-4902

Cybersecurity Help s.r.o.

Published: 2017-02-02 | Updated: 2022-03-08

Vulnerability identifier: #VU5588

Vulnerability risk: Critical

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2015-4902

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Oracle Java SE
Universal components / Libraries / Software for developers

Vendor: Oracle

Description
The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to unknown error related to the Java SE Deployment component. A remote attacker can bypass the click-to-play protection in Java.

Successful exploitation of the vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Oracle Java SE: 6u101, 7u85, 8u60

External links
https://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
https://blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Security bypass Oracle Java SE