CVE-2015-8965 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2015-8965?

CVE-2015-8965 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary Java code on systems running vulnerable versions of Rogue Wave JViews. The issue exists because the IlvFacesController servlet doesn't properly restrict which servlets can be called, enabling attackers to invoke existing Java classes in the classpath. Organizations using JViews web applications are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary Java code on systems running vulnerable versions of Rogue Wave JViews. The issue exists because the IlvFacesController servlet doesn't properly restrict which servlets can be called, enabling attackers to invoke existing Java classes in the classpath. Organizations using JViews web applications are affected.

💻 Affected Systems

Products:

Rogue Wave JViews

Versions: Versions before 8.8 patch 21 and 8.9 before patch 1

Operating Systems: All operating systems running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web applications using the jviews-framework-all.jar library with the IlvFacesController servlet.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Attackers execute existing Java classes in the classpath, potentially gaining administrative access or performing unauthorized actions.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication and affects web applications.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows code execution if accessible to attackers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and leverages existing Java classes, making exploitation straightforward for attackers with access to the application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.8 patch 21 or 8.9 patch 1

Vendor Advisory: https://rwkbp.makekb.com/?View=entry&EntryID=2521

Restart Required: Yes

Instructions:

1. Download the appropriate patch from Rogue Wave/Oracle. 2. Apply the patch to your JViews installation. 3. Restart the application server. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Remove or Restrict IlvFacesController Servlet

all

Remove the vulnerable servlet from web.xml or restrict access to it through security controls.

Edit web.xml to remove <servlet> and <servlet-mapping> entries for ilog.views.faces.IlvFacesController

Network Access Control

all

Restrict network access to the affected application using firewalls or network segmentation.

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems
Deploy web application firewall (WAF) rules to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if jviews-framework-all.jar is present in your application and examine web.xml for IlvFacesController servlet configuration.

Check Version:

Check the JViews documentation or application properties for version information.

Verify Fix Applied:

Verify the JViews version is 8.8 patch 21 or higher, or 8.9 patch 1 or higher, and that the IlvFacesController servlet is properly secured or removed.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to IlvFacesController servlet
Java class loading errors or unexpected class executions

Network Indicators:

HTTP requests to paths associated with IlvFacesController
Unusual outbound connections from the application server

SIEM Query:

Search for HTTP requests containing 'IlvFacesController' or patterns matching Java class invocation attempts.

📊 Metadata

CVE ID: CVE-2015-8965

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-264

Published: April 6, 2017

Last Updated: April 20, 2025

🔗 References

https://rwkbp.makekb.com/?View=entry&EntryID=2521 Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch
https://rwkbp.makekb.com/?View=entry&EntryID=2521 Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-8965, you might also want to check these: