CVE-2015-4902

What Is Oracle Java SE Deployment?

Oracle Java SE's Deployment component encompasses the Java browser plugin, Java Web Start, and the Java Control Panel — the mechanisms by which Java applets and applications are delivered to and executed on end-user systems. The Deployment component includes security prompting (showing users "Do you want to run this application?" dialogs), certificate validation for signed JAR files, and permission enforcement for applet execution.

The Deployment security layer is designed to ensure users are informed before potentially dangerous Java code executes, and to verify that signed Java code comes from a trusted publisher. Bypassing these checks allows Java content to execute silently, without the user seeing the expected security warning.

Overview

CVE-2015-4902 is a vulnerability in Oracle Java SE's Deployment component that allows remote attackers to bypass integrity checks and affect the integrity of the Java runtime environment. The vulnerability involves an unspecified flaw in how the Deployment component verifies or enforces integrity constraints on Java applet or Java Web Start application execution — enabling attackers to bypass security prompts or integrity verification that would normally prevent untrusted Java content from running silently. Oracle patched this in the October 2015 Critical Patch Update (Java 8u65 / Java 7u91).

Affected Versions

Technical Details

Root Cause: Deployment Component Integrity Check Bypass

CVE-2015-4902 involves improper access control (CWE-284) in the Java Deployment component's handling of integrity verification. The Deployment component performs several security checks before executing Java applets or Web Start applications:

• JAR manifest verification — confirming that signed JAR files haven't been tampered with
• Security prompt enforcement — displaying user prompts for applets without trusted signatures
• Security policy enforcement — applying the configured Java security level settings

A flaw in how these checks are performed allows specially crafted Java content to bypass one or more of these integrity steps. The practical effect is that Java content that should trigger a security warning (or be blocked entirely at the user's Java security level setting) can execute without the expected prompt or block.

Role in Exploitation Chains

While CVE-2015-4902 alone has limited confidentiality or availability impact (CVSS C:N A:N), it serves as an enabler in multi-stage attack chains:

1. Attacker delivers Java content that would normally trigger a "block" or "warning" at the user's security level
2. CVE-2015-4902 bypasses the integrity check, allowing the content to execute silently
3. The executing Java content exploits a separate vulnerability (such as CVE-2015-2590, a sandbox bypass) to achieve full code execution

By eliminating the user-facing security prompt, the bypass makes Java exploitation more reliable and less likely to be noticed.

Attack Characteristics

Discovery

Patched in Oracle's October 2015 Critical Patch Update, which addressed multiple Java SE vulnerabilities across the Deployment and Libraries components.

Exploitation Context

• Exploit kit enabler: CVE-2015-4902 was used by exploit kits in 2015 as part of Java exploitation chains; by suppressing security prompts, the bypass made Java-based drive-by attacks more effective against users who had Java security level warnings but not outright blocking
• Declining Java attack surface: By late 2015, the Java browser plugin attack surface was shrinking as browsers removed NPAPI support; despite this, CVE-2015-4902 remains relevant for environments running legacy Java Web Start applications
• Java browser plugin EOL: Oracle officially removed the Java browser plugin from Java 9 (September 2017); all modern browsers block NPAPI plugins, eliminating the browser attack vector for this CVE
• CISA KEV (2022): Added March 2022, confirming exploitation in some contexts years after the patch

Remediation

1. Update Java to 8u65 or later — Java 8u65 contains the fix for CVE-2015-4902. Current Java LTS versions (Java 11, 17, 21) are patched and significantly more secure.

2. Remove the Java browser plugin — the Java browser plugin (NPAPI) is no longer supported in any modern browser and should be removed or disabled via the Java Control Panel.

3. Remove legacy Java versions — uninstall Java versions older than 8u65. Where only a single Java version is needed, use the current LTS release.

4. Disable Java Web Start for untrusted content — if Java Web Start is required for internal applications, configure Java security settings to block content from non-internal sources.

5. Migrate off Java applets — applications relying on Java applets in the browser should be migrated to modern web technologies; the Java browser plugin attack class is permanently eliminated by upgrading to modern browsers.