CVE-2015-7501
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
Find out more about CVE-2015-7501 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.
CVSS v2 metrics
| Base Score | 7.5 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 6.1 | RHSA-2015:2501 | 2015-11-20 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-java-common-apache-commons-collections) | RHSA-2015:2523 | 2015-11-30 |
| Red Hat Enterprise Linux 5 (jakarta-commons-collections) | RHSA-2015:2671 | 2015-12-21 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jakarta-commons-collections) | RHSA-2015:2535 | 2015-12-01 |
| Red Hat JBoss Enterprise Application Platform 5.2 | RHSA-2015:2514 | 2015-11-24 |
| Red Hat JBoss Web Server 3.0 | RHSA-2015:2548 | 2015-12-04 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (apache-commons-collections-eap6) | RHSA-2015:2536 | 2015-12-01 |
| Red Hat JBoss Fuse Service Works 6.0 | RHSA-2015:2517 | 2015-11-25 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) | RHSA-2015:2542 | 2015-12-02 |
| Red Hat JBoss Enterprise Application Platform 6.2 | RHSA-2015:2501 | 2015-11-20 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server | RHSA-2015:2538 | 2015-12-02 |
| Red Hat JBoss Operations Network 3.2 | RHSA-2015:2547 | 2015-12-04 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (apache-commons-collections-eap6) | RHSA-2015:2500 | 2015-11-20 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jakarta-commons-collections) | RHSA-2015:2535 | 2015-12-01 |
| Red Hat JBoss Data Virtualization 6.2 | RHSA-2015:2534 | 2015-12-01 |
| JBoss Enterprise BRMS Platform 5.3 | RHSA-2015:2670 | 2015-12-18 |
| Red Hat Enterprise Linux 6 (jakarta-commons-collections) | RHSA-2015:2521 | 2015-11-30 |
| Red Hat JBoss Enterprise Application Platform 4.3 | RHSA-2015:2514 | 2015-11-24 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (apache-commons-collections-eap6) | RHSA-2015:2536 | 2015-12-01 |
| Red Hat JBoss Data Virtualization 6.1 | RHSA-2015:2534 | 2015-12-01 |
| Red Hat JBoss BPMS 6.2 | RHSA-2015:2560 | 2015-12-07 |
| Red Hat Enterprise Linux 7 (apache-commons-collections) | RHSA-2015:2522 | 2015-11-30 |
| Red Hat JBoss Fuse 6.2 | RHSA-2015:2556 | 2015-12-07 |
| Red Hat JBoss Data Grid 6.4 | RHSA-2015:2502 | 2015-11-20 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (apache-commons-collections-eap6) | RHSA-2015:2536 | 2015-12-01 |
| Red Hat JBoss Operations Network 3.3 | RHSA-2016:0118 | 2016-02-03 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (apache-commons-collections-eap6) | RHSA-2015:2500 | 2015-11-20 |
| Red Hat JBoss A-MQ 6.2 | RHSA-2015:2557 | 2015-12-07 |
| RHOSE Client 2.0 (jenkins) | RHSA-2016:1773 | 2016-08-24 |
| Red Hat JBoss Data Virtualization 6.0 | RHSA-2015:2534 | 2015-12-01 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2015:2541 | 2015-12-02 |
| Red Hat JBoss Portal 6.2 | RHSA-2015:2537 | 2015-12-01 |
| Red Hat JBoss SOA Platform 5.3 | RHSA-2015:2516 | 2015-11-25 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2015:2501 | 2015-11-20 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-java-common-apache-commons-collections) | RHSA-2015:2523 | 2015-11-30 |
| Red Hat JBoss BRMS 6.2 | RHSA-2015:2559 | 2015-12-07 |
| Red Hat JBoss BPMS 6.0 | RHSA-2015:2579 | 2015-12-08 |
| Red Hat JBoss Operations Network 3.1 | RHSA-2016:0040 | 2016-01-14 |
| Red Hat JBoss Data Grid 6.5 | RHSA-2015:2502 | 2015-11-20 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jakarta-commons-collections) | RHSA-2015:2535 | 2015-12-01 |
| Red Hat JBoss Enterprise Application Platform 5.1 | RHSA-2015:2514 | 2015-11-24 |
| Red Hat JBoss BRMS 6.1 | RHSA-2015:2578 | 2015-12-08 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server | RHSA-2015:2539 | 2015-12-02 |
| Red Hat JBoss Enterprise Application Platform 6.3 | RHSA-2015:2501 | 2015-11-20 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2015:2540 | 2015-12-02 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (apache-commons-collections-eap6) | RHSA-2015:2500 | 2015-11-20 |
| Red Hat JBoss Operations Network 3.3 | RHSA-2015:2524 | 2015-11-30 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Subscription Asset Manager 1 | jasperreports-server-pro | Affected |
| Red Hat OpenStack Platform 8.0 (Liberty) | opendaylight | Not affected |
| Red Hat JBoss Portal 5 | jbossas | Affected |
| Red Hat JBoss Fuse Service Works 6 | jbossas | Affected |
| Red Hat JBoss Enterprise SOA Platform 5 | JBossAS | Affected |
| Red Hat JBoss Enterprise SOA Platform 5 | jbossas | Affected |
| Red Hat JBoss Enterprise SOA Platform 4 | JBossAS | Affected |
| Red Hat JBoss EWS 2 | tomcat | Not affected |
| RHEV Manager 3 | jasperreports-server-pro | Affected |