⚠ Actively exploited

Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-24. Required action: Apply updates per vendor instructions..

CVE-2015-2590

CWE-56718 documents12 sources

Severity

9.8CRITICAL

EPSS

63.0%

top 1.61%

CISA KEV

KEV

Added 2022-03-03

Due 2022-03-24

Exploit

Exploited in wild

Active exploitation observed

Affected products

Canonical Ubuntu Linux Debian Debian Linux Opensuse Opensuse +18 more

Timeline

PublishedJul 16

KEV addedMar 3

KEV dueMar 24

Latest updateMay 13

CISA Required Action: Apply updates per vendor instructions.

Description

Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages12 packages

▶NVDoracle/jdk1.6.0, 1.7.0, 1.8.0+2

▶NVDoracle/jre1.6.0, 1.7.0, 1.8.0+2

▶Ubuntuopenjdk-6< 6b36-1.13.8-0ubuntu1~14.04

▶Ubuntuopenjdk-7< 7u79-2.5.6-0ubuntu1.14.04.1

▶NVDredhat/satellite5.6, 5.7+1

Also affects: Debian Linux 7.0, 8.0, Ubuntu Linux 12.04, 14.04, 15.04, Enterprise Linux 6.6, 6.7, 7.1, 7.2, 7.3, 7.4, 7.5, 6.0, 6.0_ppc64, 7.0_ppc64, 6.7_ppc64, 7.1_ppc64, 7.2_ppc64, 7.3_ppc64, 7.4_ppc64, 7.5_ppc64, 7.0, 7.6, 7.7

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-mhp7-xhx6-9x45: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality↗2022-05-13

▶

OSV

openjdk-7 vulnerabilities↗2015-07-30

▶

OSV

CVE-2015-2590: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality↗2015-07-16

▶

CVEList

CVE-2015-2590: Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality↗2015-07-16

▶

VulnCheck

Oracle Java SE and Java SE Embedded Remote Code Execution Vulnerability↗2015

▶

🔍Detection Rules

Suricata

ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 1↗2015-07-31

▶

Suricata

ET MALWARE Possible Java/Downloader Observed in Pawn Storm CVE-2015-2590 2↗2015-07-31

▶

📋Vendor Advisories

CISA

Oracle Java SE and Java SE Embedded Remote Code Execution Vulnerability↗2022-03-03

▶

Ubuntu

OpenJDK 6 vulnerabilities↗2015-08-06

▶

Ubuntu

OpenJDK 7 vulnerabilities↗2015-07-30

▶

Ubuntu

OpenJDK 7 vulnerabilities↗2015-07-30

▶

Red Hat

OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)↗2015-07-14

▶

💬Community

Bugzilla

CVE-2015-2590 OpenJDK: deserialization issue in ObjectInputStream.readSerialData() (Libraries, 8076401)↗2015-07-14

▶