esri ArcGis Android SDK Deserialization Code Execution

Aleph Research Advisory

Identifier

CVE-2015-2002

Severity

High

Product

esri ArcGis

Vulnerable Version

Before version 10.2.6-2

Mitigation

Use version 10.2.6-2 or later.

Technical Details

The esri ArcGis SDK for Android contains a Serializable class, with a ‘finalize’ method that later calls a native function with an attacker-controllabe pointer, eventually allowing for code execution by malicious apps.

Timeline

01-Mar-17
: Added as
10-Aug-15
: Public disclosure

Credit

peles of Aleph Research, HCL Software
roeeh of Aleph Research, HCL Software