Issued:: 2015-12-21
Updated:: 2015-12-21

RHSA-2015:2671 - Security Advisory

Overview
Updated Packages

Synopsis

Important: jakarta-commons-collections security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated jakarta-commons-collections packages that fix one security issue
are now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

The Jakarta/Apache Commons Collections library provides new interfaces,
implementations, and utilities to extend the features of the Java
Collections Framework.

It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)

With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that require
those classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.

Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023

All users of jakarta-commons-collections are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
All running applications using the commons-collections library must be
restarted for the update to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 ia64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux Desktop 5 x86_64
Red Hat Enterprise Linux Desktop 5 i386
Red Hat Enterprise Linux for IBM z Systems 5 s390x
Red Hat Enterprise Linux for Power, big endian 5 ppc
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

BZ - 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation

CVEs

CVE-2015-7501

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm	SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
x86_64
jakarta-commons-collections-3.2-2jpp.4.x86_64.rpm	SHA-256: 9f20472d781c400623268359bbfd7f90fc4e852386c592c4a072202856398fb6
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm	SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-javadoc-3.2-2jpp.4.x86_64.rpm	SHA-256: 0ebd369fd1053e0174fd73ab2ec0761389d26cf1a6cf550d5ef65a92278a40ba
jakarta-commons-collections-testframework-3.2-2jpp.4.x86_64.rpm	SHA-256: f172c0d0925de4664b518b04dec449e31842349a777067bc12bba863b112626c
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.x86_64.rpm	SHA-256: c784b4e7805e206b4141fb894d278afa65cc5d687e5e63f08a2e0c8e01187b20
jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm	SHA-256: c5e70b1d132ebf895ff6a2a530aab23d876c745c8522ce15efd0eab99acc3af3
ia64
jakarta-commons-collections-3.2-2jpp.4.ia64.rpm	SHA-256: 87d4ef9738721a761b1404a9e60b4c75e72dadb514a9ca007b0202b9381d0710
jakarta-commons-collections-debuginfo-3.2-2jpp.4.ia64.rpm	SHA-256: 0646774f27da4658d0f344acb5cb091fab45e4e6c18163598e70ac54c4d73574
jakarta-commons-collections-javadoc-3.2-2jpp.4.ia64.rpm	SHA-256: c677d7c00d96a028522ff565a86fecc23a8c997b39daf85f31471500c0ab4d55
jakarta-commons-collections-testframework-3.2-2jpp.4.ia64.rpm	SHA-256: 12b0ac91586c05e4966fa852c6954d429393e1ca92302946dd1cf9b6d25d3c41
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.ia64.rpm	SHA-256: 20ce9dc05351fe97e0899e78d2c943af13d7ac4869e5ef8f3d25542cbe49ae05
jakarta-commons-collections-tomcat5-3.2-2jpp.4.ia64.rpm	SHA-256: d69a6732dbe24ba08ea91aed79ab3193624170283af3027d879b32867d66a448
i386
jakarta-commons-collections-3.2-2jpp.4.i386.rpm	SHA-256: 192b66739a1268ce18d8e3dfdec57abb08f56962c9fe9d64281b60eda6a8f166
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm	SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-javadoc-3.2-2jpp.4.i386.rpm	SHA-256: edb98a07387f744d76e89dce1dac9cab140abd6680257f7f8b8c905e041627a4
jakarta-commons-collections-testframework-3.2-2jpp.4.i386.rpm	SHA-256: 05811d1bf5c9c6cc471e5568c49489f4abe44dfa4bdb02698e3299d8e95a6bb2
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.i386.rpm	SHA-256: e4481b396f6e9d0f6dd9519bcb866037fb400869e68cadebb95aedcccc22c761
jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm	SHA-256: 952f8c462991fc44c20422ba2881f46fcd9860dfe25903a2959b86fed15abead

Red Hat Enterprise Linux Workstation 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm	SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
x86_64
jakarta-commons-collections-3.2-2jpp.4.x86_64.rpm	SHA-256: 9f20472d781c400623268359bbfd7f90fc4e852386c592c4a072202856398fb6
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm	SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm	SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-javadoc-3.2-2jpp.4.x86_64.rpm	SHA-256: 0ebd369fd1053e0174fd73ab2ec0761389d26cf1a6cf550d5ef65a92278a40ba
jakarta-commons-collections-testframework-3.2-2jpp.4.x86_64.rpm	SHA-256: f172c0d0925de4664b518b04dec449e31842349a777067bc12bba863b112626c
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.x86_64.rpm	SHA-256: c784b4e7805e206b4141fb894d278afa65cc5d687e5e63f08a2e0c8e01187b20
jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm	SHA-256: c5e70b1d132ebf895ff6a2a530aab23d876c745c8522ce15efd0eab99acc3af3
i386
jakarta-commons-collections-3.2-2jpp.4.i386.rpm	SHA-256: 192b66739a1268ce18d8e3dfdec57abb08f56962c9fe9d64281b60eda6a8f166
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm	SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm	SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-javadoc-3.2-2jpp.4.i386.rpm	SHA-256: edb98a07387f744d76e89dce1dac9cab140abd6680257f7f8b8c905e041627a4
jakarta-commons-collections-testframework-3.2-2jpp.4.i386.rpm	SHA-256: 05811d1bf5c9c6cc471e5568c49489f4abe44dfa4bdb02698e3299d8e95a6bb2
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.i386.rpm	SHA-256: e4481b396f6e9d0f6dd9519bcb866037fb400869e68cadebb95aedcccc22c761
jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm	SHA-256: 952f8c462991fc44c20422ba2881f46fcd9860dfe25903a2959b86fed15abead

Red Hat Enterprise Linux Desktop 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm	SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
x86_64
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm	SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm	SHA-256: c5e70b1d132ebf895ff6a2a530aab23d876c745c8522ce15efd0eab99acc3af3
i386
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm	SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm	SHA-256: 952f8c462991fc44c20422ba2881f46fcd9860dfe25903a2959b86fed15abead

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm	SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
s390x
jakarta-commons-collections-3.2-2jpp.4.s390x.rpm	SHA-256: 527ca4c2af0032d6e08592d267afc6b13d9781db713ce3566a4fcbabb0004aca
jakarta-commons-collections-debuginfo-3.2-2jpp.4.s390x.rpm	SHA-256: 27c1e2ec79c83525840feb28e15032bd4e70513c224427975eb028a3cd4ecc72
jakarta-commons-collections-javadoc-3.2-2jpp.4.s390x.rpm	SHA-256: a7a5c4b50cc6acba62a6474b262c56e3ba8f67eef183445145ad1c299ebc1ab6
jakarta-commons-collections-testframework-3.2-2jpp.4.s390x.rpm	SHA-256: 47021782394bd6cbfc9155cc11dc07bffffc853c3bb93549348a834febc13abb
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.s390x.rpm	SHA-256: 5942ac28fc5de4cd9912cbd4617cf4d21d3edf33322b8a5cdec1cd63c578ce2c
jakarta-commons-collections-tomcat5-3.2-2jpp.4.s390x.rpm	SHA-256: 9fba44acf1d1665bda06cbbe34ebda7d3ecc9aff8c5f08f2f43c046a0155e622

Red Hat Enterprise Linux for Power, big endian 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm	SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
ppc
jakarta-commons-collections-3.2-2jpp.4.ppc.rpm	SHA-256: 62bf34d473a231e1c0e816eebc6cb26839387df467e685b4c64fefedb012ceb7
jakarta-commons-collections-debuginfo-3.2-2jpp.4.ppc.rpm	SHA-256: 6555b133765f61a8cc0cf2b03863d2ec0352aae4978a2ef07d745091b2b897bf
jakarta-commons-collections-javadoc-3.2-2jpp.4.ppc.rpm	SHA-256: d1977caaede38b191a288155d3c3ca0cd64dd981626b550c072450abdcef422f
jakarta-commons-collections-testframework-3.2-2jpp.4.ppc.rpm	SHA-256: e4d6f9efe0ecc66c50edb33bc08886d55c9cc1fdd8fc8bd2300995dab828af86
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.ppc.rpm	SHA-256: 932f5d25206a0900cc200e589268a49b485f2d062d20a295e0f235bb50899c48
jakarta-commons-collections-tomcat5-3.2-2jpp.4.ppc.rpm	SHA-256: 9ca51d214f3b00efe3b7442dcd24e2e7a5e29fc79a4b4775fb8a363dd041e90d

Red Hat Enterprise Linux Server from RHUI 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm	SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
x86_64
jakarta-commons-collections-3.2-2jpp.4.x86_64.rpm	SHA-256: 9f20472d781c400623268359bbfd7f90fc4e852386c592c4a072202856398fb6
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm	SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-javadoc-3.2-2jpp.4.x86_64.rpm	SHA-256: 0ebd369fd1053e0174fd73ab2ec0761389d26cf1a6cf550d5ef65a92278a40ba
jakarta-commons-collections-testframework-3.2-2jpp.4.x86_64.rpm	SHA-256: f172c0d0925de4664b518b04dec449e31842349a777067bc12bba863b112626c
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.x86_64.rpm	SHA-256: c784b4e7805e206b4141fb894d278afa65cc5d687e5e63f08a2e0c8e01187b20
jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm	SHA-256: c5e70b1d132ebf895ff6a2a530aab23d876c745c8522ce15efd0eab99acc3af3
i386
jakarta-commons-collections-3.2-2jpp.4.i386.rpm	SHA-256: 192b66739a1268ce18d8e3dfdec57abb08f56962c9fe9d64281b60eda6a8f166
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm	SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-javadoc-3.2-2jpp.4.i386.rpm	SHA-256: edb98a07387f744d76e89dce1dac9cab140abd6680257f7f8b8c905e041627a4
jakarta-commons-collections-testframework-3.2-2jpp.4.i386.rpm	SHA-256: 05811d1bf5c9c6cc471e5568c49489f4abe44dfa4bdb02698e3299d8e95a6bb2
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.i386.rpm	SHA-256: e4481b396f6e9d0f6dd9519bcb866037fb400869e68cadebb95aedcccc22c761
jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm	SHA-256: 952f8c462991fc44c20422ba2881f46fcd9860dfe25903a2959b86fed15abead

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation