Cyber Resilience

CVE-2015-4902

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 22 October 2015

Published
22 October 2015
Modified
22 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.1825 95.4th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-4902 is a medium-severity Improper Access Control (CWE-284) vulnerability in Suse Linux Enterprise Server. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2015-4902 is an unspecified vulnerability affecting the Deployment component of Oracle Java SE versions 6u101, 7u85, and 8u60. It is tracked under CWE-284 and carries a CVSS 3.1 base score of 5.3, reflecting a network-accessible flaw that impacts integrity without requiring authentication or user interaction.

Remote attackers can exploit the issue over the network with low attack complexity to modify data or behavior in affected Java deployments, while confidentiality and availability remain unaffected.

Multiple openSUSE security advisories reference the vulnerability and indicate that mitigation is achieved through updated Java packages distributed for affected openSUSE releases. No information on observed in-the-wild exploitation is provided in the source details.

EU & UK References

Vulnerability details

Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deployment.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

oracle
jdk
1.6.0, 1.7.0, 1.8.0
oracle
jre
1.6.0, 1.7.0, 1.8.0
redhat
satellite
5.6, 5.7
redhat
enterprise linux desktop
5.0, 6.0, 7.0
redhat
enterprise linux eus
6.7, 7.2, 7.3, 7.4, 7.5
redhat
enterprise linux eus compute node
7.2, 7.3
redhat
enterprise linux for ibm z systems
5.0_s390x, 6.0_s390x, 7.0_s390x
redhat
enterprise linux for ibm z systems eus
6.7_s390x, 7.2_s390x, 7.3_s390x, 7.4_s390x, 7.5_s390x
redhat
enterprise linux for power big endian
5.0_ppc, 6.0_ppc64, 7.0_ppc64
redhat
enterprise linux for power big endian eus
6.7_ppc64, 7.2_ppc64, 7.3_ppc64, 7.4_ppc64, 7.5_ppc64
+11 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that eliminate the Java Deployment flaw before remote integrity attacks can succeed.

prevent

Mandates usage restrictions and security controls on mobile code such as Java applets delivered through the Deployment component.

prevent

Enforces disabling or limiting Java runtime and deployment features that are not explicitly required, reducing the attack surface for this vulnerability.

References