#VU41012 Permissions, Privileges, and Access Controls in Google Android - CVE-2014-7911
Published: December 15, 2014 / Updated: October 5, 2020
Vulnerability identifier: #VU41012
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2014-7911
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Google Android
Google Android
Software vendor:
Google
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
luni/src/main/java/java/io/ObjectInputStream.java in the java.io.ObjectInputStream implementation in Android before 5.0.0 does not verify that deserialization will result in an object that met the requirements for serialization, which allows attackers to execute arbitrary code via a crafted finalize method for a serialized object in an ArrayMap Parcel within an intent sent to system_service, as demonstrated by the finalize method of android.os.BinderProxy, aka Bug 15874291.
Remediation
Install update from vendor's website.