ID CVE-2015-4860
Summary Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883.
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:jre:1.6.0:update_101
    cpe:2.3:a:oracle:jre:1.6.0:update_101
  • cpe:2.3:a:oracle:jdk:1.6.0:update_101
    cpe:2.3:a:oracle:jdk:1.6.0:update_101
  • cpe:2.3:a:oracle:jre:1.7.0:update_85
    cpe:2.3:a:oracle:jre:1.7.0:update_85
  • cpe:2.3:a:oracle:jdk:1.7.0:update_85
    cpe:2.3:a:oracle:jdk:1.7.0:update_85
  • cpe:2.3:a:oracle:jre:1.8.0:update_60
    cpe:2.3:a:oracle:jre:1.8.0:update_60
  • cpe:2.3:a:oracle:jdk:1.8.0:update_60
    cpe:2.3:a:oracle:jdk:1.8.0:update_60
  • cpe:2.3:a:oracle:jdk:1.8.0:update_51
    cpe:2.3:a:oracle:jdk:1.8.0:update_51
  • cpe:2.3:a:oracle:jre:1.8.0:update_51
    cpe:2.3:a:oracle:jre:1.8.0:update_51
CVSS
Base: 10.0 (as of 26-05-2016 - 08:23)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1430.NASL
    description An update for java-1.7.0-ibm and java-1.7.1-ibm is now available for Red Hat Satellite 5.7 and Red Hat Satellite 5.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to versions 7 SR9-FP40 and 7R1 SR3-FP40. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4871, CVE-2015-4872, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4902, CVE-2015-4903, CVE-2015-5006, CVE-2015-5041, CVE-2015-7575, CVE-2015-7981, CVE-2015-8126, CVE-2015-8472, CVE-2015-8540, CVE-2016-0264, CVE-2016-0363, CVE-2016-0376, CVE-2016-0402, CVE-2016-0448, CVE-2016-0466, CVE-2016-0483, CVE-2016-0494, CVE-2016-0686, CVE-2016-0687, CVE-2016-3422, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 92400
    published 2016-07-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92400
    title RHEL 5 / 6 : java-1.7.0-ibm and java-1.7.1-ibm (RHSA-2016:1430) (SLOTH)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-106.NASL
    description java-1_8_0-openjdk was updated to version 7u95 to fix several security issues. (bsc#962743) The following vulnerabilities were fixed : - CVE-2015-7575: Further reduce use of MD5 (SLOTH) (bsc#960996) - CVE-2015-8126: Vulnerability in the AWT component related to splashscreen displays - CVE-2015-8472: Vulnerability in the AWT component, addressed by same fix - CVE-2016-0402: Vulnerability in the Networking component related to URL processing - CVE-2016-0448: Vulnerability in the JMX comonent related to attribute processing - CVE-2016-0466: Vulnerability in the JAXP component, related to limits - CVE-2016-0483: Vulnerability in the AWT component related to image decoding - CVE-2016-0494: Vulnerability in 2D component related to font actions Includes the following fixes from the October 2015 update: (bsc#951376) - CVE-2015-4734: A remote user can exploit a flaw in the Embedded JGSS component to partially access data - CVE-2015-4803: A remote user can exploit a flaw in the JRockit JAXP component to cause partial denial of service conditions - CVE-2015-4805: A remote user can exploit a flaw in the Embedded Serialization component to gain elevated privileges - CVE-2015-4806: A remote user can exploit a flaw in the Java SE Embedded Libraries component to partially access and partially modify data - CVE-2015-4835: A remote user can exploit a flaw in the Embedded CORBA component to gain elevated privileges - CVE-2015-4842: A remote user can exploit a flaw in the Embedded JAXP component to partially access data - CVE-2015-4843: A remote user can exploit a flaw in the Java SE Embedded Libraries component to gain elevated privileges - CVE-2015-4844: A remote user can exploit a flaw in the Embedded 2D component to gain elevated privileges - CVE-2015-4860: A remote user can exploit a flaw in the Embedded RMI component to gain elevated privileges - CVE-2015-4872: A remote user can exploit a flaw in the JRockit Security component to partially modify data []. - CVE-2015-4881: A remote user can exploit a flaw in the Embedded CORBA component to gain elevated privileges - CVE-2015-4882: A remote user can exploit a flaw in the Embedded CORBA component to cause partial denial of service conditions - CVE-2015-4883: A remote user can exploit a flaw in the Embedded RMI component to gain elevated privileges - CVE-2015-4893: A remote user can exploit a flaw in the JRockit JAXP component to cause partial denial of service conditions - CVE-2015-4902: A remote user can exploit a flaw in the Java SE Deployment component to partially modify data - CVE-2015-4903: A remote user can exploit a flaw in the Embedded RMI component to partially access data - CVE-2015-4911: A remote user can exploit a flaw in the JRockit JAXP component to cause partial denial of service conditions - CVE-2015-4810: A local user can exploit a flaw in the Java SE Deployment component to gain elevated privileges - CVE-2015-4840: A remote user can exploit a flaw in the Embedded 2D component to partially access data - CVE-2015-4868: A remote user can exploit a flaw in the Java SE Embedded Libraries component to gain elevated privileges - CVE-2015-4901: A remote user can exploit a flaw in the JavaFX component to gain elevated privileges - CVE-2015-4906: A remote user can exploit a flaw in the JavaFX component to partially access data - CVE-2015-4908: A remote user can exploit a flaw in the JavaFX component to partially access data - CVE-2015-4916: A remote user can exploit a flaw in the JavaFX component to partially access data
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 88537
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88537
    title openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2016-106) (SLOTH)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201603-14.NASL
    description The remote host is affected by the vulnerability described in GLSA-201603-14 (IcedTea: Multiple vulnerabilities) Various OpenJDK attack vectors in IcedTea, such as 2D, Corba, Hotspot, Libraries, and JAXP, exist which allows remote attackers to affect the confidentiality, integrity, and availability of vulnerable systems. This includes the possibility of remote execution of arbitrary code, information disclosure, or Denial of Service. Many of the vulnerabilities can only be exploited through sandboxed Java Web Start applications and java applets. Please reference the CVEs listed for specific details. Impact : Remote attackers may remotely execute arbitrary code, compromise information, or cause Denial of Service. Workaround : There is no known work around at this time.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 89907
    published 2016-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89907
    title GLSA-201603-14 : IcedTea: Multiple vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1926.NASL
    description Updated java-1.8.0-oracle packages that fix several security issues are now available for Oracle Java for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2015-4734, CVE-2015-4803, CVE-2015-4805, CVE-2015-4806, CVE-2015-4810, CVE-2015-4835, CVE-2015-4840, CVE-2015-4842, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4868, CVE-2015-4872, CVE-2015-4881, CVE-2015-4882, CVE-2015-4883, CVE-2015-4893, CVE-2015-4901, CVE-2015-4902, CVE-2015-4903, CVE-2015-4906, CVE-2015-4908, CVE-2015-4911, CVE-2015-4916) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. All users of java-1.8.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 8 Update 65 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86560
    published 2015-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86560
    title RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2015:1926)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-696.NASL
    description java-1_8_0-openjdk was updated to fix 24 security issues. These security issues were fixed : - CVE-2015-4734: A remote user can exploit a flaw in the Embedded JGSS component to partially access data - CVE-2015-4803: A remote user can exploit a flaw in the JRockit JAXP component to cause partial denial of service conditions - CVE-2015-4805: A remote user can exploit a flaw in the Embedded Serialization component to gain elevated privileges - CVE-2015-4806: A remote user can exploit a flaw in the Java SE Embedded Libraries component to partially access and partially modify data - CVE-2015-4835: A remote user can exploit a flaw in the Embedded CORBA component to gain elevated privileges - CVE-2015-4842: A remote user can exploit a flaw in the Embedded JAXP component to partially access data - CVE-2015-4843: A remote user can exploit a flaw in the Java SE Embedded Libraries component to gain elevated privileges - CVE-2015-4844: A remote user can exploit a flaw in the Embedded 2D component to gain elevated privileges - CVE-2015-4860: A remote user can exploit a flaw in the Embedded RMI component to gain elevated privileges - CVE-2015-4872: A remote user can exploit a flaw in the JRockit Security component to partially modify data []. - CVE-2015-4881: A remote user can exploit a flaw in the Embedded CORBA component to gain elevated privileges - CVE-2015-4882: A remote user can exploit a flaw in the Embedded CORBA component to cause partial denial of service conditions - CVE-2015-4883: A remote user can exploit a flaw in the Embedded RMI component to gain elevated privileges - CVE-2015-4893: A remote user can exploit a flaw in the JRockit JAXP component to cause partial denial of service conditions - CVE-2015-4902: A remote user can exploit a flaw in the Java SE Deployment component to partially modify data - CVE-2015-4903: A remote user can exploit a flaw in the Embedded RMI component to partially access data - CVE-2015-4911: A remote user can exploit a flaw in the JRockit JAXP component to cause partial denial of service conditions - CVE-2015-4810: A local user can exploit a flaw in the Java SE Deployment component to gain elevated privileges - CVE-2015-4840: A remote user can exploit a flaw in the Embedded 2D component to partially access data - CVE-2015-4868: A remote user can exploit a flaw in the Java SE Embedded Libraries component to gain elevated privileges - CVE-2015-4901: A remote user can exploit a flaw in the JavaFX component to gain elevated privileges - CVE-2015-4906: A remote user can exploit a flaw in the JavaFX component to partially access data - CVE-2015-4908: A remote user can exploit a flaw in the JavaFX component to partially access data - CVE-2015-4916: A remote user can exploit a flaw in the JavaFX component to partially access data
    last seen 2019-02-21
    modified 2015-11-05
    plugin id 86731
    published 2015-11-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86731
    title openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2015-696)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2015-007.NASL
    description The remote host is running a version of Mac OS X 10.9.5 or 10.10.5 that is missing Security Update 2015-004 or 2015-007. It is, therefore, affected by multiple vulnerabilities in the following components : - Accelerate Framework - apache_mod_php - ATS - Audio - CFNetwork - CoreGraphics - CoreText - EFI - FontParser - Grand Central Dispatch - ImageIO - IOAcceleratorFamily - Kernel - libarchive - MCX Application Restrictions - OpenGL Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 86829
    published 2015-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86829
    title Mac OS X Multiple Vulnerabilities (Security Updates 2015-004 / 2015-007)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A5934BA8A37611E585E914DAE9D210B8.NASL
    description Oracle reports : This Critical Patch Update contains 25 new security fixes for Oracle Java SE. 24 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87386
    published 2015-12-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87386
    title FreeBSD : java -- multiple vulnerabilities (a5934ba8-a376-11e5-85e9-14dae9d210b8)
  • NASL family Misc.
    NASL id ORACLE_JAVA_CPU_OCT_2015_UNIX.NASL
    description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 65, 7 Update 91, or 6 Update 105. It is, therefore, affected by security vulnerabilities in the following components : - 2D - CORBA - Deployment - JavaFX - JAXP - JGSS - Libraries - RMI - Security - Serialization
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 86543
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86543
    title Oracle Java SE Multiple Vulnerabilities (October 2015 CPU) (Unix)
  • NASL family Windows
    NASL id ORACLE_JAVA_CPU_OCT_2015.NASL
    description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 65, 7 Update 91, or 6 Update 105. It is, therefore, affected by security vulnerabilities in the following components : - 2D - CORBA - Deployment - JavaFX - JAXP - JGSS - Libraries - RMI - Security - Serialization
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 86542
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86542
    title Oracle Java SE Multiple Vulnerabilities (October 2015 CPU)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2518.NASL
    description Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. IBM J2SE version 5.0 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update fixes several vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2015-4805, CVE-2015-4806, CVE-2015-4843, CVE-2015-4844, CVE-2015-4860, CVE-2015-4872, CVE-2015-4883, CVE-2015-4902, CVE-2015-4903) Red Hat would like to thank Andrea Palazzo of Truel IT for reporting the CVE-2015-4806 issue. IBM Java SDK and JRE 5.0 will not receive software updates after September 2015. This date is referred to as the End of Service (EOS) date. Customers are advised to migrate to current versions of IBM Java at this time. IBM Java SDK and JRE versions 6 and 7 are available via the Red Hat Enterprise Linux 5 and 6 Supplementary content sets and will continue to receive updates based on IBM's lifecycle policy, linked to in the References section. Customers can also consider OpenJDK, an open source implementation of the Java SE specification. OpenJDK is available by default on supported hardware architectures. All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM J2SE 5.0 SR16-FP14 release. All running instances of IBM Java must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 87099
    published 2015-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87099
    title RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2015:2518)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2216-1.NASL
    description The java-1_7_0-ibm package was updated to version 7.0-9.20 to fix several security and non security issues : - bnc#955131: Version update to 7.0-9.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 - Add backcompat symlinks for sdkdir - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 87277
    published 2015-12-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87277
    title SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2015:2216-1) (FREAK)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-2182-1.NASL
    description The java-1_7_1-ibm package was updated to version 7.1-3.20 to fix several security and non security issues : - bnc#955131: Version update to 7.1-3.20: CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871 CVE-2015-4872 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911 CVE-2015-5006 - Add backcompat symlinks for sdkdir - bnc#941939: Fix to provide %{name} instead of %{sdklnk} only in _jvmprivdir Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 87200
    published 2015-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87200
    title SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2015:2182-1) (FREAK)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201603-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-201603-11 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities exist in both Oracle’s JRE and JDK. Please review the referenced CVE’s for additional information. Impact : Remote attackers could gain access to information, remotely execute arbitrary code, and cause Denial of Service. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-06-29
    plugin id 89904
    published 2016-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89904
    title GLSA-201603-11 : Oracle JRE/JDK: Multiple vulnerabilities (Logjam)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-695.NASL
    description