Login Sign Up

CVE-2015-2002

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in ESRI ArcGIS Runtime SDK for Android allows attackers to execute arbitrary code by exploiting a finalize method in a Serializable class that passes attacker-controlled pointers to native functions. It affects Android applications built with vulnerable SDK versions, potentially compromising devices running those apps.

💻 Affected Systems

Products:
  • ESRI ArcGIS Runtime SDK for Android
Versions: Versions before 10.2.6-2
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Android applications built with the vulnerable SDK. iOS and other platforms are not affected.

📦 What is this software?

Arcgisruntime Sdk by Esri

View all CVEs affecting Arcgisruntime Sdk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with remote code execution, allowing attackers to install malware, steal data, or gain persistent access.

🟠

Likely Case

Application compromise leading to data theft, privilege escalation, or device takeover within the context of the vulnerable app.

🟢

If Mitigated

Limited impact if app runs in sandboxed environment with minimal permissions, though code execution within app context still possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious serialized objects and understanding of native memory manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.2.6-2 and later

Vendor Advisory: https://www.esri.com/arcgis-blog/products/developers/uncategorized/security-advisory-for-arcgis-runtime-sdk-for-android/

Restart Required: Yes

Instructions:

1. Update ArcGIS Runtime SDK for Android to version 10.2.6-2 or later. 2. Rebuild and redeploy all Android applications using the SDK. 3. Distribute updated apps to end users.

🔧 Temporary Workarounds

Disable serialization of vulnerable classes

all

Modify application code to avoid serialization/deserialization of potentially malicious objects

Network segmentation

all

Isolate devices running vulnerable apps from critical networks

🧯 If You Can't Patch

  • Remove vulnerable applications from devices
  • Implement strict network controls and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check SDK version in Android project build.gradle or manifest. Look for com.esri.arcgisruntime version < 10.2.6-2.

Check Version:

Check build.gradle for 'com.esri.arcgisruntime:arcgis-android:VERSION' or examine APK manifest

Verify Fix Applied:

Verify SDK version is 10.2.6-2 or higher in build configuration and rebuilt app uses updated SDK.

📡 Detection & Monitoring

Log Indicators:

  • Unusual native library loading
  • Unexpected serialization/deserialization errors
  • Memory access violations

Network Indicators:

  • Suspicious data payloads to apps using ArcGIS SDK
  • Unexpected network connections from ArcGIS apps

SIEM Query:

source="android_logs" AND (process="arcgis" OR package="com.esri.*") AND (event="native_crash" OR event="memory_violation")

📊 Metadata

CVE ID: CVE-2015-2002
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-118
Published: March 29, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-2002, you might also want to check these:

CVE-2015-2000 9.8

This vulnerability in Jumio SDK for Android allows attackers to execute arbitrary code by exploiting...

Same vulnerability type (CWE-118)
CVE-2015-2004 9.8

This vulnerability in GraceNote GNSDK SDK for Android allows attackers to execute arbitrary code by ...

Same vulnerability type (CWE-118)
CVE-2016-10495 9.8

This vulnerability in Qualcomm Snapdragon MDM9635M chipsets allows out-of-bounds memory access due t...

Same vulnerability type (CWE-118)