CVE-2015-7501

Impact:
Critical
Public Date:
2015-11-06
IAVA:
2017-A-0018
Bugzilla:
1279330: CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

Find out more about CVE-2015-7501 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.

CVSS v2 metrics

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 5 (jakarta-commons-collections) RHSA-2015:2671 2015-12-21
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jakarta-commons-collections) RHSA-2015:2535 2015-12-01
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2015:2514 2015-11-24
Red Hat JBoss Web Server 3.0 RHSA-2015:2548 2015-12-04
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (apache-commons-collections-eap6) RHSA-2015:2536 2015-12-01
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2015:2542 2015-12-02
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2015:2538 2015-12-02
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (apache-commons-collections-eap6) RHSA-2015:2500 2015-11-20
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jakarta-commons-collections) RHSA-2015:2535 2015-12-01
Red Hat Enterprise Linux 6 (jakarta-commons-collections) RHSA-2015:2521 2015-11-30
Red Hat JBoss Enterprise Application Platform 4.3 RHSA-2015:2514 2015-11-24
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (apache-commons-collections-eap6) RHSA-2015:2536 2015-12-01
Red Hat Enterprise Linux 7 (apache-commons-collections) RHSA-2015:2522 2015-11-30
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-java-common-apache-commons-collections) RHSA-2015:2523 2015-11-30
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (apache-commons-collections-eap6) RHSA-2015:2500 2015-11-20
RHOSE Client 2.0 (jenkins) RHSA-2016:1773 2016-08-24
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2015:2541 2015-12-02
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-java-common-apache-commons-collections) RHSA-2015:2523 2015-11-30
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (apache-commons-collections-eap6) RHSA-2015:2536 2015-12-01
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jakarta-commons-collections) RHSA-2015:2535 2015-12-01
Red Hat JBoss Enterprise Application Platform 5.1 RHSA-2015:2514 2015-11-24
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2015:2539 2015-12-02
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2015:2540 2015-12-02
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (apache-commons-collections-eap6) RHSA-2015:2500 2015-11-20

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 jasperreports-server-pro Affected
Red Hat OpenStack Platform 8.0 (Liberty) opendaylight Not affected
Red Hat JBoss Portal Platform 6 jbossas Affected
Red Hat JBoss Portal 5 jbossas Affected
Red Hat JBoss Operations Network 3 jbossas Affected
Red Hat JBoss Fuse Service Works 6 jbossas Affected
Red Hat JBoss Enterprise SOA Platform 5 JBossAS Affected
Red Hat JBoss Enterprise SOA Platform 5 jbossas Affected
Red Hat JBoss Enterprise SOA Platform 4 JBossAS Affected
Red Hat JBoss EWS 2 tomcat Not affected
Red Hat JBoss Data Virtualization 6 jbossas Affected
Red Hat JBoss Data Grid 6 Infinispan Affected
Red Hat JBoss BRMS 6 jbossas Affected
Red Hat JBoss BRMS 5 jbossas Affected
Red Hat JBoss BPMS 6 jbossas Affected
Red Hat JBoss A-MQ 6 camel Affected
RHEV Manager 3 jasperreports-server-pro Affected

External References

Last Modified