CVE-2015-4902
Published: 22 October 2015
Summary
CVE-2015-4902 is a medium-severity Improper Access Control (CWE-284) vulnerability in Suse Linux Enterprise Server. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2015-4902 is an unspecified vulnerability affecting the Deployment component of Oracle Java SE versions 6u101, 7u85, and 8u60. It is tracked under CWE-284 and carries a CVSS 3.1 base score of 5.3, reflecting a network-accessible flaw that impacts integrity without requiring authentication or user interaction.
Remote attackers can exploit the issue over the network with low attack complexity to modify data or behavior in affected Java deployments, while confidentiality and availability remain unaffected.
Multiple openSUSE security advisories reference the vulnerability and indicate that mitigation is achieved through updated Java packages distributed for affected openSUSE releases. No information on observed in-the-wild exploitation is provided in the source details.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-4919
Vulnerability details
Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deployment.
- CWE(s)
- KEV Date Added
- 03 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches that eliminate the Java Deployment flaw before remote integrity attacks can succeed.
Mandates usage restrictions and security controls on mobile code such as Java applets delivered through the Deployment component.
Enforces disabling or limiting Java runtime and deployment features that are not explicitly required, reducing the attack surface for this vulnerability.