Oracle Java SE and JRockit Unrestricted Deserialization Vulnerability in JMX Component

A vulnerability allowing unrestricted deserialization of authentication credentials has been identified in Oracle Java SE versions 6u113, 7u99, and 8u77, as well as in Java SE Embedded 8u77 and JRockit R28.3.9. This vulnerability could be exploited by remote, unauthenticated attackers who are able to connect to a JMX port, potentially leading to the execution of deserialization attacks.

Impact

Exploitation of this vulnerability could allow for unauthorized deserialization of objects, which may be used to manipulate application logic or data. In the context of Java, such deserialization vulnerabilities can often be exploited to execute arbitrary code on the server.

Remediation

Users can upgrade to the latest versions of Oracle Java SE or Oracle Java SE Embedded. Instructions for applying this update are available in the Oracle Critical Patch Update April 2016 Availability Document, My Oracle Support Note 2123093.1. For Red Hat users, an update is available through the Red Hat Update Infrastructure (RHUI) for OpenJDK 8.