CVE-2015-2590
Published: 16 July 2015
Summary
CVE-2015-2590 is a critical-severity an unspecified weakness vulnerability in Redhat Enterprise Linux Eus. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2015-2590 is an unspecified vulnerability affecting the Libraries component of Oracle Java SE versions 6u95, 7u80, and 8u45, as well as Java SE Embedded versions 7u75 and 8u33. It is distinct from CVE-2015-4732 and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required privileges or user interaction.
Remote attackers can exploit the flaw via unknown vectors to impact confidentiality, integrity, and availability on affected systems. The vulnerability allows complete compromise of the targeted Java runtime environment without authentication.
Advisories from OpenSUSE and Red Hat, including RHSA-2015-1228, address the issue through updated Java packages that remediate the Libraries component exposure in supported distributions. No further details on exploitation in the wild or additional mitigations beyond vendor patches are provided in the references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-2682
Vulnerability details
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45, and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2015-4732.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that remediate the Libraries flaw in the listed Java SE/Embedded versions.
Enforces disabling or removing Java runtime components when not required, eliminating the attack surface for this remote code-execution vulnerability.
Deploys malicious-code detection mechanisms that can block or alert on exploit attempts targeting the unauthenticated Java Libraries vector.