CVE-2015-2590

What Is Oracle Java SE?

Oracle Java SE (Standard Edition) is a cross-platform computing platform and runtime environment. The Java browser plugin (Java Web Start, npjp2.dll) allowed web pages to load and execute Java applets directly in the browser — providing a powerful and historically very exploited attack surface. At peak deployment in 2012–2014, the Java browser plugin was installed on hundreds of millions of machines. Java applets run in the Java Virtual Machine (JVM) with a security sandbox designed to prevent them from accessing system resources.

Java sandbox bypass vulnerabilities — which allow Java applets to escape the sandbox and execute arbitrary code on the host system — are among the most impactful browser plugin vulnerabilities because they work cross-platform (Windows, macOS, Linux) and require no user interaction beyond the page load.

Overview

CVE-2015-2590 is a remote code execution vulnerability in Oracle Java SE and Java SE Embedded that allows an unauthenticated remote attacker to completely compromise the Java environment and execute arbitrary code. The vulnerability resides in the Libraries component of the Java runtime and can be exploited via a malicious web page when the Java browser plugin is installed. Patched in Oracle's July 2015 Critical Patch Update as Java 8u51 (and Java 7u85). Commercial exploit kits (Angler, Nuclear) rapidly integrated CVE-2015-2590 for Java browser plugin exploitation.

Affected Versions

Technical Details

Root Cause: Java Security Manager Bypass

CVE-2015-2590 involves improper access control (CWE-284) in Java SE's Libraries component — specifically a vulnerability in the security manager enforcement that allows Java code running in a sandboxed context (a Java applet) to break out of the sandbox restrictions and perform privileged operations.

Java's security model relies on the Security Manager (java.lang.SecurityManager) to intercept privileged operations and enforce access control policies. When an applet (untrusted code) attempts a privileged action — file access, network access, process execution — the Security Manager checks whether the action is permitted. A sandbox bypass exploits a flaw where a crafted sequence of Java operations circumvents these Security Manager checks through:

• Reflection abuse — using Java reflection to access internal privileged APIs without triggering Security Manager checks
• Type confusion — exploiting ambiguity in type checking to treat a restricted object as a trusted one
• Deserialization — triggering unsafe operations during object deserialization that bypass Security Manager

The result: the Java applet can call Runtime.exec() to execute arbitrary OS commands with the privileges of the JVM process (typically the logged-in user).

Cross-Platform Impact

Unlike IE or Flash exploits that target specific OS/browser combinations, Java sandbox bypasses work against any platform where Java is installed: Windows, macOS, and Linux. This cross-platform reach makes Java zero-days disproportionately valuable to exploit kit operators targeting heterogeneous enterprise environments.

Attack Characteristics

Discovery

Patched in Oracle's July 2015 Critical Patch Update (Java 8u51, Java 7u85), which addressed 25 Java SE security vulnerabilities. CVE-2015-2590 received Oracle's highest Java severity rating.

Exploitation Context

• Exploit kit integration: CVE-2015-2590 was rapidly integrated into Angler and Nuclear exploit kits in July–August 2015 for drive-by exploitation of users with the Java browser plugin installed; the Java plugin was still present on a significant fraction of enterprise machines in 2015
• Enterprise Java deployments: Many enterprise environments maintained older Java versions to support legacy applications; these systems were often behind on Java updates and vulnerable to current exploit kit payloads
• Cross-platform value: Java exploits work against macOS and Linux targets in addition to Windows — a significant advantage for APT groups targeting mixed-OS environments
• Java browser plugin EOL: Oracle officially ended support for the Java browser plugin in Java 9 (September 2017) and removed it from the JDK; all modern browsers have removed NPAPI support, eliminating the browser attack vector. However, Java Web Start and embedded Java applications remain relevant attack surfaces.
• CISA KEV (2022): Added March 2022

Remediation

1. Update Java to 8u51 or later (for the July 2015 fix). Current Java LTS versions (Java 11, 17, 21) are significantly more secure and include the fix for CVE-2015-2590.

2. Remove the Java browser plugin — the Java browser plugin (NPAPI) is no longer supported in any modern browser. Remove or disable it via the Java Control Panel or uninstall older Java versions.

3. Uninstall legacy Java versions — maintain only the latest Java version required for your applications. Remove Java 6, 7, and 8 versions older than 8u51.

4. Migrate legacy Java applications — applications requiring older Java versions should be modernized; containerized environments can isolate legacy Java without browser plugin exposure.

5. Disable Java applets — in modern enterprise environments, Java applets should be blocked at the browser and network level since no modern browser supports them.