CVE-2015-8965

Name of the Vulnerable Software and Affected Versions Rogue Wave JViews versions 8.8 through 8.8 patch 20 Rogue Wave JViews versions 8.9 through 8.9 patch 0

Description The issue allows remote attackers to execute arbitrary Java code that exists in the classpath, such as test code or administration code. This is due to the ilog.views.faces.IlvFacesController servlet in jviews-framework-all.jar not requiring explicit configuration of servlets that can be called. The vulnerability is related to insufficient access control checks, which can be exploited by a remote attacker to execute arbitrary code.

Recommendations For Rogue Wave JViews versions 8.8 through 8.8 patch 20, apply patch 21 to resolve the issue. For Rogue Wave JViews versions 8.9 through 8.9 patch 0, apply patch 1 to resolve the issue. As a temporary workaround, consider restricting access to the ilog.views.faces.IlvFacesController servlet in jviews-framework-all.jar to minimize the risk of exploitation.