Apache commons-collections: Remote code execution during deserialisation (CVE 2015-7501)

Public Date: November 19, 2015, 14:36
Updated March 11, 2016, 10:27 - No translations currently exist.

Was this information helpful?

Resolved Status
Critical Impact

Red Hat Product Security has been made aware of a series of issues ranging from important to critical impact in the Apache Commons-Collections library. These issues can allow Remote Code Execution (RCE) if not otherwise protected.

Background Information

An attacker can use the privileges of the user running JBoss Enterprise Application Platform to execute a command on the system.

The following versions of Red Hat Products are impacted:

  • Red Hat JBoss A-MQ 6.x
  • Red Hat JBoss BPM Suite (BPMS) 6.x
  • Red Hat JBoss BRMS 6.x
  • Red Hat JBoss BRMS 5.x
  • Red Hat JBoss Data Grid (JDG) 6.x
  • Red Hat JBoss Data Virtualization (JDV) 6.x
  • Red Hat JBoss Data Virtualization (JDV) 5.x
  • Red Hat JBoss Enterprise Application Platform 6.x
  • Red Hat JBoss Enterprise Application Platform 5.x
  • Red Hat JBoss Enterprise Application Platform 4.3.x
  • Red Hat JBoss Fuse 6.x
  • Red Hat JBoss Fuse Service Works (FSW) 6.x
  • Red Hat JBoss Operations Network (JBoss ON) 3.x
  • Red Hat JBoss Portal 6.x
  • Red Hat JBoss SOA Platform (SOA-P) 5.x
  • Red Hat JBoss Web Server (JWS) 3.x
  • Red Hat OpenShift/xPAAS 3.x
  • Red Hat Subscription Asset Manager 1.3

Take Action

The quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files ( InvokerTransformer , InstantiateFactory , and InstantiateTransformer )in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications.

If you bundle commons-collection library in your application you may still be vulnerable, even after the forthcoming patches are applied. You'll need to make changes to the commons-collections library yourself if you package one.

Detailed Impact Information

Below is a listing of the impacted products and the available patches to remediate

Product Advisory/Update
Red Hat Enterprise Linux 5 (jakarta-commons-collections package) RHSA-2015:2671
Red Hat Enterprise Linux 6 (jakarta-commons-collections package) RHSA-2015:2521
Red Hat Enterprise Linux 7 (rh-java-apache-commons-collections package) RHSA-2015:2523
Red Hat Enterprise Linux 7 (apache-commons-collections package) RHSA-2015:2522
Red Hat JBoss A-MQ 6.0 Red Hat JBoss Fuse/A-MQ 6.0 Rollup 3 Patch 2
Red Hat JBoss A-MQ 6.1 Red Hat JBoss Fuse/A-MQ 6.1 Rollup 4
Red Hat JBoss A-MQ 6.2.x RHSA-2015:2557
Red Hat JBoss BPM Suite 6.1.0 RHSA-2015:2579
Red Hat JBoss BRMS 5.3.1 RHSA-2015:2670
Red Hat JBoss BRMS 6.1.0 RHSA-2015:2578
Red Hat JBoss Data Grid 6.4.1 RHSA-2015:2502
Red Hat JBoss Data Grid 6.5.1 RHSA-2015:2502
Red Hat JBoss Data Virtualization 6.0_2_2015 RHSA-2015:2534:03
Red Hat JBoss Data Virtualization 6.1.4 RHSA-2015:2534:03
Red Hat JBoss Data Virtualization 6.2.1 RHSA-2015:2534:03
Red Hat JBoss Enterprise Application Platform 4.3 CP10 RHSA-2015:2514
Red Hat JBoss Enterprise Application Platform 5 RPM Channel RHSA-2015:2535:07
Red Hat JBoss Enterprise Application Platform 5.1.2 RHSA-2015:2514
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2015:2514
Red Hat JBoss Enterprise Application Platform 6 RPM Channel RHSA-2015:2500
Red Hat JBoss Enterprise Application Platform 6.2.0 - 6.2.3 Apply 6.2 Update 04, and then the patch for 6.2.4 listed on this page.
Red Hat JBoss Enterprise Application Platform 6.2.4 (zip) RHSA-2015:2501
Red Hat JBoss Enterprise Application Platform 6.3 RPM Channel RHSA-2015-2536
Red Hat JBoss Enterprise Application Platform 6.3.0 - 6.3.2 Apply 6.3 Update 03, and then the patch for 6.3.3 listed on this page.
Red Hat JBoss Enterprise Application Platform 6.3.3 (zip) RHSA-2015:2501
Red Hat JBoss Enterprise Application Platform 6.4.0 - 6.4.3 Apply 6.4 Update 04, and then the patch for 6.4.4 listed on this page.
Red Hat JBoss Enterprise Application Platform 6.4.4 RHSA-2015:2501
Red Hat JBoss Enterprise Application Platform 6 EL5 RHSA-2015:2538
Red Hat JBoss Enterprise Application Platform 6 EL6 RHSA-2015:2539
Red Hat JBoss Enterprise Application Platform 6 EL7 RHSA-2015:2540
Red Hat JBoss Enterprise Application Platform 6.4.5 RHSA-2015:2541
Red Hat JBoss Enterprise Application Platform 6.4.5 jboss-ec2-eap RHSA-2015:2542
Red Hat JBoss Fuse 6.0 & 6.1 Red Hat JBoss Fuse/A-MQ 6.0 Rollup 3 Patch 2
Red Hat JBoss Fuse 6.1 Red Hat JBoss Fuse/A-MQ 6.1 Rollup 4
Red Hat JBoss Fuse 6.2.x RHSA-2015:2556
Red Hat JBoss Fuse Service Works 6.0.2 RHSA-2015:2517
Red Hat JBoss Operations Network 3.1.2 JON Server 3,1,2 Update 11
Red Hat JBoss Operations Network 3.2.3 RHSA-2015:2547
Red Hat JBoss Operations Network 3.3.4 RHSA-2015:2524
Red Hat JBoss Portal Platform 6.2.0 RHSA-2015:2537
Red Hat JBoss SOA-P 5.3.1 RHSA-2015:2516
Red Hat JBoss Web Server 3.0.1/2 RHSA-2015:2548
Red Hat OpenShift 2.x EAP 6.x and EWS 2.1 / JWS 3.x RPM updates in this table will resolve this for OpenShift middleware cartridges.
Red Hat OpenShift/xPAAS 3.x EAP 6.x and EWS 2.1 / JWS 3.x RPM updates in this table will resolve this for OpenShift middleware images.
Red Hat Subscription Asset Manager 1.3 Exploitation of this issue would not result in additional access or privilege escalation by an attacker; additionally local access would be needed

Comments