Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2015:2671 - Security Advisory
Issued:
2015-12-21
Updated:
2015-12-21

RHSA-2015:2671 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: jakarta-commons-collections security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated jakarta-commons-collections packages that fix one security issue
are now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

Description

The Jakarta/Apache Commons Collections library provides new interfaces,
implementations, and utilities to extend the features of the Java
Collections Framework.

It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)

With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that require
those classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.

Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023

All users of jakarta-commons-collections are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
All running applications using the commons-collections library must be
restarted for the update to take effect.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation

CVEs

  • CVE-2015-7501

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://access.redhat.com/solutions/2045023
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
x86_64
jakarta-commons-collections-3.2-2jpp.4.x86_64.rpm SHA-256: 9f20472d781c400623268359bbfd7f90fc4e852386c592c4a072202856398fb6
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-javadoc-3.2-2jpp.4.x86_64.rpm SHA-256: 0ebd369fd1053e0174fd73ab2ec0761389d26cf1a6cf550d5ef65a92278a40ba
jakarta-commons-collections-testframework-3.2-2jpp.4.x86_64.rpm SHA-256: f172c0d0925de4664b518b04dec449e31842349a777067bc12bba863b112626c
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.x86_64.rpm SHA-256: c784b4e7805e206b4141fb894d278afa65cc5d687e5e63f08a2e0c8e01187b20
jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm SHA-256: c5e70b1d132ebf895ff6a2a530aab23d876c745c8522ce15efd0eab99acc3af3
ia64
jakarta-commons-collections-3.2-2jpp.4.ia64.rpm SHA-256: 87d4ef9738721a761b1404a9e60b4c75e72dadb514a9ca007b0202b9381d0710
jakarta-commons-collections-debuginfo-3.2-2jpp.4.ia64.rpm SHA-256: 0646774f27da4658d0f344acb5cb091fab45e4e6c18163598e70ac54c4d73574
jakarta-commons-collections-javadoc-3.2-2jpp.4.ia64.rpm SHA-256: c677d7c00d96a028522ff565a86fecc23a8c997b39daf85f31471500c0ab4d55
jakarta-commons-collections-testframework-3.2-2jpp.4.ia64.rpm SHA-256: 12b0ac91586c05e4966fa852c6954d429393e1ca92302946dd1cf9b6d25d3c41
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.ia64.rpm SHA-256: 20ce9dc05351fe97e0899e78d2c943af13d7ac4869e5ef8f3d25542cbe49ae05
jakarta-commons-collections-tomcat5-3.2-2jpp.4.ia64.rpm SHA-256: d69a6732dbe24ba08ea91aed79ab3193624170283af3027d879b32867d66a448
i386
jakarta-commons-collections-3.2-2jpp.4.i386.rpm SHA-256: 192b66739a1268ce18d8e3dfdec57abb08f56962c9fe9d64281b60eda6a8f166
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-javadoc-3.2-2jpp.4.i386.rpm SHA-256: edb98a07387f744d76e89dce1dac9cab140abd6680257f7f8b8c905e041627a4
jakarta-commons-collections-testframework-3.2-2jpp.4.i386.rpm SHA-256: 05811d1bf5c9c6cc471e5568c49489f4abe44dfa4bdb02698e3299d8e95a6bb2
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.i386.rpm SHA-256: e4481b396f6e9d0f6dd9519bcb866037fb400869e68cadebb95aedcccc22c761
jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm SHA-256: 952f8c462991fc44c20422ba2881f46fcd9860dfe25903a2959b86fed15abead

Red Hat Enterprise Linux Workstation 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
x86_64
jakarta-commons-collections-3.2-2jpp.4.x86_64.rpm SHA-256: 9f20472d781c400623268359bbfd7f90fc4e852386c592c4a072202856398fb6
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-javadoc-3.2-2jpp.4.x86_64.rpm SHA-256: 0ebd369fd1053e0174fd73ab2ec0761389d26cf1a6cf550d5ef65a92278a40ba
jakarta-commons-collections-testframework-3.2-2jpp.4.x86_64.rpm SHA-256: f172c0d0925de4664b518b04dec449e31842349a777067bc12bba863b112626c
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.x86_64.rpm SHA-256: c784b4e7805e206b4141fb894d278afa65cc5d687e5e63f08a2e0c8e01187b20
jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm SHA-256: c5e70b1d132ebf895ff6a2a530aab23d876c745c8522ce15efd0eab99acc3af3
i386
jakarta-commons-collections-3.2-2jpp.4.i386.rpm SHA-256: 192b66739a1268ce18d8e3dfdec57abb08f56962c9fe9d64281b60eda6a8f166
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-javadoc-3.2-2jpp.4.i386.rpm SHA-256: edb98a07387f744d76e89dce1dac9cab140abd6680257f7f8b8c905e041627a4
jakarta-commons-collections-testframework-3.2-2jpp.4.i386.rpm SHA-256: 05811d1bf5c9c6cc471e5568c49489f4abe44dfa4bdb02698e3299d8e95a6bb2
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.i386.rpm SHA-256: e4481b396f6e9d0f6dd9519bcb866037fb400869e68cadebb95aedcccc22c761
jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm SHA-256: 952f8c462991fc44c20422ba2881f46fcd9860dfe25903a2959b86fed15abead

Red Hat Enterprise Linux Desktop 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
x86_64
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm SHA-256: c5e70b1d132ebf895ff6a2a530aab23d876c745c8522ce15efd0eab99acc3af3
i386
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm SHA-256: 952f8c462991fc44c20422ba2881f46fcd9860dfe25903a2959b86fed15abead

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
s390x
jakarta-commons-collections-3.2-2jpp.4.s390x.rpm SHA-256: 527ca4c2af0032d6e08592d267afc6b13d9781db713ce3566a4fcbabb0004aca
jakarta-commons-collections-debuginfo-3.2-2jpp.4.s390x.rpm SHA-256: 27c1e2ec79c83525840feb28e15032bd4e70513c224427975eb028a3cd4ecc72
jakarta-commons-collections-javadoc-3.2-2jpp.4.s390x.rpm SHA-256: a7a5c4b50cc6acba62a6474b262c56e3ba8f67eef183445145ad1c299ebc1ab6
jakarta-commons-collections-testframework-3.2-2jpp.4.s390x.rpm SHA-256: 47021782394bd6cbfc9155cc11dc07bffffc853c3bb93549348a834febc13abb
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.s390x.rpm SHA-256: 5942ac28fc5de4cd9912cbd4617cf4d21d3edf33322b8a5cdec1cd63c578ce2c
jakarta-commons-collections-tomcat5-3.2-2jpp.4.s390x.rpm SHA-256: 9fba44acf1d1665bda06cbbe34ebda7d3ecc9aff8c5f08f2f43c046a0155e622

Red Hat Enterprise Linux for Power, big endian 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
ppc
jakarta-commons-collections-3.2-2jpp.4.ppc.rpm SHA-256: 62bf34d473a231e1c0e816eebc6cb26839387df467e685b4c64fefedb012ceb7
jakarta-commons-collections-debuginfo-3.2-2jpp.4.ppc.rpm SHA-256: 6555b133765f61a8cc0cf2b03863d2ec0352aae4978a2ef07d745091b2b897bf
jakarta-commons-collections-javadoc-3.2-2jpp.4.ppc.rpm SHA-256: d1977caaede38b191a288155d3c3ca0cd64dd981626b550c072450abdcef422f
jakarta-commons-collections-testframework-3.2-2jpp.4.ppc.rpm SHA-256: e4d6f9efe0ecc66c50edb33bc08886d55c9cc1fdd8fc8bd2300995dab828af86
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.ppc.rpm SHA-256: 932f5d25206a0900cc200e589268a49b485f2d062d20a295e0f235bb50899c48
jakarta-commons-collections-tomcat5-3.2-2jpp.4.ppc.rpm SHA-256: 9ca51d214f3b00efe3b7442dcd24e2e7a5e29fc79a4b4775fb8a363dd041e90d

Red Hat Enterprise Linux Server from RHUI 5

SRPM
jakarta-commons-collections-3.2-2jpp.4.src.rpm SHA-256: 921136c0a07f2b11f48c54eaeb99ae061063254320cab0f56bffabc42b81e0fb
x86_64
jakarta-commons-collections-3.2-2jpp.4.x86_64.rpm SHA-256: 9f20472d781c400623268359bbfd7f90fc4e852386c592c4a072202856398fb6
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm SHA-256: 3254fbf5b015a2e03fdfc043a0680f6b5c006c68aa0b0017dc7f6da8f7a651d2
jakarta-commons-collections-javadoc-3.2-2jpp.4.x86_64.rpm SHA-256: 0ebd369fd1053e0174fd73ab2ec0761389d26cf1a6cf550d5ef65a92278a40ba
jakarta-commons-collections-testframework-3.2-2jpp.4.x86_64.rpm SHA-256: f172c0d0925de4664b518b04dec449e31842349a777067bc12bba863b112626c
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.x86_64.rpm SHA-256: c784b4e7805e206b4141fb894d278afa65cc5d687e5e63f08a2e0c8e01187b20
jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm SHA-256: c5e70b1d132ebf895ff6a2a530aab23d876c745c8522ce15efd0eab99acc3af3
i386
jakarta-commons-collections-3.2-2jpp.4.i386.rpm SHA-256: 192b66739a1268ce18d8e3dfdec57abb08f56962c9fe9d64281b60eda6a8f166
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm SHA-256: 3be902d8f525c426a9f8983251f18f4e92ea21c393753bcd8cb705573c428a4e
jakarta-commons-collections-javadoc-3.2-2jpp.4.i386.rpm SHA-256: edb98a07387f744d76e89dce1dac9cab140abd6680257f7f8b8c905e041627a4
jakarta-commons-collections-testframework-3.2-2jpp.4.i386.rpm SHA-256: 05811d1bf5c9c6cc471e5568c49489f4abe44dfa4bdb02698e3299d8e95a6bb2
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.i386.rpm SHA-256: e4481b396f6e9d0f6dd9519bcb866037fb400869e68cadebb95aedcccc22c761
jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm SHA-256: 952f8c462991fc44c20422ba2881f46fcd9860dfe25903a2959b86fed15abead

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter