CVE-2015-7501

Impact:
Critical
Public Date:
2015-11-06
IAVA:
2017-A-0018
CWE:
CWE-502->CWE-284
Bugzilla:
1279330: CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

Find out more about CVE-2015-7501 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.

CVSS v2 metrics

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6.1 RHSA-2015:2501 2015-11-20
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-java-common-apache-commons-collections) RHSA-2015:2523 2015-11-30
Red Hat Enterprise Linux 5 (jakarta-commons-collections) RHSA-2015:2671 2015-12-21
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jakarta-commons-collections) RHSA-2015:2535 2015-12-01
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2015:2514 2015-11-24
Red Hat JBoss Web Server 3.0 RHSA-2015:2548 2015-12-04
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (apache-commons-collections-eap6) RHSA-2015:2536 2015-12-01
Red Hat JBoss Fuse Service Works 6.0 RHSA-2015:2517 2015-11-25
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2015:2542 2015-12-02
Red Hat JBoss Enterprise Application Platform 6.2 RHSA-2015:2501 2015-11-20
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2015:2538 2015-12-02
Red Hat JBoss Operations Network 3.2 RHSA-2015:2547 2015-12-04
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (apache-commons-collections-eap6) RHSA-2015:2500 2015-11-20
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jakarta-commons-collections) RHSA-2015:2535 2015-12-01
Red Hat JBoss Data Virtualization 6.2 RHSA-2015:2534 2015-12-01
JBoss Enterprise BRMS Platform 5.3 RHSA-2015:2670 2015-12-18
Red Hat Enterprise Linux 6 (jakarta-commons-collections) RHSA-2015:2521 2015-11-30
Red Hat JBoss Enterprise Application Platform 4.3 RHSA-2015:2514 2015-11-24
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (apache-commons-collections-eap6) RHSA-2015:2536 2015-12-01
Red Hat JBoss Data Virtualization 6.1 RHSA-2015:2534 2015-12-01
Red Hat JBoss BPMS 6.2 RHSA-2015:2560 2015-12-07
Red Hat Enterprise Linux 7 (apache-commons-collections) RHSA-2015:2522 2015-11-30
Red Hat JBoss Fuse 6.2 RHSA-2015:2556 2015-12-07
Red Hat JBoss Data Grid 6.4 RHSA-2015:2502 2015-11-20
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (apache-commons-collections-eap6) RHSA-2015:2536 2015-12-01
Red Hat JBoss Operations Network 3.3 RHSA-2016:0118 2016-02-03
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (apache-commons-collections-eap6) RHSA-2015:2500 2015-11-20
Red Hat JBoss A-MQ 6.2 RHSA-2015:2557 2015-12-07
RHOSE Client 2.0 (jenkins) RHSA-2016:1773 2016-08-24
Red Hat JBoss Data Virtualization 6.0 RHSA-2015:2534 2015-12-01
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2015:2541 2015-12-02
Red Hat JBoss Portal 6.2 RHSA-2015:2537 2015-12-01
Red Hat JBoss SOA Platform 5.3 RHSA-2015:2516 2015-11-25
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2015:2501 2015-11-20
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-java-common-apache-commons-collections) RHSA-2015:2523 2015-11-30
Red Hat JBoss BRMS 6.2 RHSA-2015:2559 2015-12-07
Red Hat JBoss BPMS 6.0 RHSA-2015:2579 2015-12-08
Red Hat JBoss Operations Network 3.1 RHSA-2016:0040 2016-01-14
Red Hat JBoss Data Grid 6.5 RHSA-2015:2502 2015-11-20
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jakarta-commons-collections) RHSA-2015:2535 2015-12-01
Red Hat JBoss Enterprise Application Platform 5.1 RHSA-2015:2514 2015-11-24
Red Hat JBoss BRMS 6.1 RHSA-2015:2578 2015-12-08
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2015:2539 2015-12-02
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2015:2501 2015-11-20
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2015:2540 2015-12-02
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (apache-commons-collections-eap6) RHSA-2015:2500 2015-11-20
Red Hat JBoss Operations Network 3.3 RHSA-2015:2524 2015-11-30

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 jasperreports-server-pro Affected
Red Hat OpenStack Platform 8.0 (Liberty) opendaylight Not affected
Red Hat JBoss Portal 5 jbossas Affected
Red Hat JBoss Fuse Service Works 6 jbossas Affected
Red Hat JBoss Enterprise SOA Platform 5 JBossAS Affected
Red Hat JBoss Enterprise SOA Platform 5 jbossas Affected
Red Hat JBoss Enterprise SOA Platform 4 JBossAS Affected
Red Hat JBoss EWS 2 tomcat Not affected
Red Hat JBoss BRMS 5 jbossas Affected
RHEV-M for Servers jasperreports-server-pro Affected

External References

Last Modified