CVE-2015-5236
📋 TL;DR
CVE-2015-5236 is a Same Origin Policy bypass vulnerability in IcedTea-Web that allows malicious websites to spoof the codebase attribute in Java applet tags. This enables attackers to bypass browser security restrictions and potentially execute unauthorized actions. Users running affected versions of IcedTea-Web with Java applets enabled are vulnerable.
💻 Affected Systems
- IcedTea-Web
📦 What is this software?
Icedtea Web by Icedtea Web Project
⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of Same Origin Policy allowing malicious websites to read sensitive data from other domains, perform unauthorized actions, or execute arbitrary code within the browser context.
Likely Case
Data theft or session hijacking through cross-origin requests to vulnerable applications using Java applets.
If Mitigated
Limited impact if Java applets are disabled or proper network segmentation prevents access to sensitive systems.
🎯 Exploit Status
Exploitation requires user to visit malicious website with Java applets enabled. Proof of concept demonstrated in Red Hat bug reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IcedTea-Web 1.5.3 and 1.6.2
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1256403
Restart Required: Yes
Instructions:
1. Update IcedTea-Web package using your distribution's package manager. 2. For RHEL/CentOS: 'yum update icedtea-web'. 3. For Fedora: 'dnf update icedtea-web'. 4. Restart browser after update.
🔧 Temporary Workarounds
Disable Java applets in browser
allCompletely disable Java applet support in web browsers to prevent exploitation.
Browser-specific: Disable Java plugin in browser settings
Use NoScript or similar extensions
allBlock Java applet execution on untrusted websites using browser security extensions.
Install NoScript or uMatrix extension and configure to block Java
🧯 If You Can't Patch
- Disable Java applets completely in all browsers
- Implement network filtering to block access to websites requiring Java applets
🔍 How to Verify
Check if Vulnerable:
Check IcedTea-Web version: 'rpm -q icedtea-web' or 'dpkg -l | grep icedtea-web'. If version is below 1.5.3 or 1.6.2, system is vulnerable.Check Version:
rpm -q icedtea-web # RHEL/CentOS/Fedora
dpkg -l | grep icedtea-web # Debian/UbuntuVerify Fix Applied:
Verify updated version: 'rpm -q icedtea-web' should show 1.5.3 or higher, or 1.6.2 or higher. Test Java applet functionality remains working.📡 Detection & Monitoring
Log Indicators:
- Java applet loading errors
- Cross-origin requests from Java applets
- Browser console errors about SOP violations
Network Indicators:
- HTTP requests with spoofed Referer headers from Java applets
- Cross-domain requests originating from applet contexts
SIEM Query:
source="browser_logs" AND (message="*Same Origin Policy*" OR message="*codebase*" OR message="*applet*")