Apache commons-collections: Remote code execution during deserialisation (CVE 2015-7501)
Updated
Red Hat Product Security has been made aware of a series of issues ranging from important to critical impact in the Apache Commons-Collections library. These issues can allow Remote Code Execution (RCE) if not otherwise protected.
Background Information
-
An issue was reported for the Java Object Serialization affecting the
JMXInvokerServletinterface:
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ -
The article describes a security vulnerability when deserializing Java objects from untrusted sources with the Apache commons-collections library , containing certain risky classes, on the classpath. This reported issue impacts many products in the JBoss Middleware Suite, as they include this library.
-
This issue is being managed through CVE 2015-7501
-
Direct exploitation of this vulnerability requires some means of getting an application to accept an object containing one of the risky classes. The patches linked to in this document address the main vulnerability in the commons-collections library; individual flaws will be addressed in other fixes as they are discovered.
An attacker can use the privileges of the user running JBoss Enterprise Application Platform to execute a command on the system.
The following versions of Red Hat Products are impacted:
- Red Hat JBoss A-MQ 6.x
- Red Hat JBoss BPM Suite (BPMS) 6.x
- Red Hat JBoss BRMS 6.x
- Red Hat JBoss BRMS 5.x
- Red Hat JBoss Data Grid (JDG) 6.x
- Red Hat JBoss Data Virtualization (JDV) 6.x
- Red Hat JBoss Data Virtualization (JDV) 5.x
- Red Hat JBoss Enterprise Application Platform 6.x
- Red Hat JBoss Enterprise Application Platform 5.x
- Red Hat JBoss Enterprise Application Platform 4.3.x
- Red Hat JBoss Fuse 6.x
- Red Hat JBoss Fuse Service Works (FSW) 6.x
- Red Hat JBoss Operations Network (JBoss ON) 3.x
- Red Hat JBoss Portal 6.x
- Red Hat JBoss SOA Platform (SOA-P) 5.x
- Red Hat JBoss Web Server (JWS) 3.x
- Red Hat OpenShift/xPAAS 3.x
- Red Hat Subscription Asset Manager 1.3
Take Action
The quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (
InvokerTransformer
,
InstantiateFactory
, and
InstantiateTransformer
)in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications.
If you bundle commons-collection library in your application you may still be vulnerable, even after the forthcoming patches are applied. You'll need to make changes to the commons-collections library yourself if you package one.
Detailed Impact Information
Below is a listing of the impacted products and the available patches to remediate
| Product | Advisory/Update |
|---|---|
| Red Hat Enterprise Linux 5 (jakarta-commons-collections package) | RHSA-2015:2671 |
| Red Hat Enterprise Linux 6 (jakarta-commons-collections package) | RHSA-2015:2521 |
| Red Hat Enterprise Linux 7 (rh-java-apache-commons-collections package) | RHSA-2015:2523 |
| Red Hat Enterprise Linux 7 (apache-commons-collections package) | RHSA-2015:2522 |
| Red Hat JBoss A-MQ 6.0 | Red Hat JBoss Fuse/A-MQ 6.0 Rollup 3 Patch 2 |
| Red Hat JBoss A-MQ 6.1 | Red Hat JBoss Fuse/A-MQ 6.1 Rollup 4 |
| Red Hat JBoss A-MQ 6.2.x | RHSA-2015:2557 |
| Red Hat JBoss BPM Suite 6.1.0 | RHSA-2015:2579 |
| Red Hat JBoss BRMS 5.3.1 | RHSA-2015:2670 |
| Red Hat JBoss BRMS 6.1.0 | RHSA-2015:2578 |
| Red Hat JBoss Data Grid 6.4.1 | RHSA-2015:2502 |
| Red Hat JBoss Data Grid 6.5.1 | RHSA-2015:2502 |
| Red Hat JBoss Data Virtualization 6.0_2_2015 | RHSA-2015:2534:03 |
| Red Hat JBoss Data Virtualization 6.1.4 | RHSA-2015:2534:03 |
| Red Hat JBoss Data Virtualization 6.2.1 | RHSA-2015:2534:03 |
| Red Hat JBoss Enterprise Application Platform 4.3 CP10 | RHSA-2015:2514 |
| Red Hat JBoss Enterprise Application Platform 5 RPM Channel | RHSA-2015:2535:07 |
| Red Hat JBoss Enterprise Application Platform 5.1.2 | RHSA-2015:2514 |
| Red Hat JBoss Enterprise Application Platform 5.2 | RHSA-2015:2514 |
| Red Hat JBoss Enterprise Application Platform 6 RPM Channel | RHSA-2015:2500 |
| Red Hat JBoss Enterprise Application Platform 6.2.0 - 6.2.3 | Apply 6.2 Update 04, and then the patch for 6.2.4 listed on this page. |
| Red Hat JBoss Enterprise Application Platform 6.2.4 (zip) | RHSA-2015:2501 |
| Red Hat JBoss Enterprise Application Platform 6.3 RPM Channel | RHSA-2015-2536 |
| Red Hat JBoss Enterprise Application Platform 6.3.0 - 6.3.2 | Apply 6.3 Update 03, and then the patch for 6.3.3 listed on this page. |
| Red Hat JBoss Enterprise Application Platform 6.3.3 (zip) | RHSA-2015:2501 |
| Red Hat JBoss Enterprise Application Platform 6.4.0 - 6.4.3 | Apply 6.4 Update 04, and then the patch for 6.4.4 listed on this page. |
| Red Hat JBoss Enterprise Application Platform 6.4.4 | RHSA-2015:2501 |
| Red Hat JBoss Enterprise Application Platform 6 EL5 | RHSA-2015:2538 |
| Red Hat JBoss Enterprise Application Platform 6 EL6 | RHSA-2015:2539 |
| Red Hat JBoss Enterprise Application Platform 6 EL7 | RHSA-2015:2540 |
| Red Hat JBoss Enterprise Application Platform 6.4.5 | RHSA-2015:2541 |
| Red Hat JBoss Enterprise Application Platform 6.4.5 jboss-ec2-eap | RHSA-2015:2542 |
| Red Hat JBoss Fuse 6.0 & 6.1 | Red Hat JBoss Fuse/A-MQ 6.0 Rollup 3 Patch 2 |
| Red Hat JBoss Fuse 6.1 | Red Hat JBoss Fuse/A-MQ 6.1 Rollup 4 |
| Red Hat JBoss Fuse 6.2.x | RHSA-2015:2556 |
| Red Hat JBoss Fuse Service Works 6.0.2 | RHSA-2015:2517 |
| Red Hat JBoss Operations Network 3.1.2 | JON Server 3,1,2 Update 11 |
| Red Hat JBoss Operations Network 3.2.3 | RHSA-2015:2547 |
| Red Hat JBoss Operations Network 3.3.4 | RHSA-2015:2524 |
| Red Hat JBoss Portal Platform 6.2.0 | RHSA-2015:2537 |
| Red Hat JBoss SOA-P 5.3.1 | RHSA-2015:2516 |
| Red Hat JBoss Web Server 3.0.1/2 | RHSA-2015:2548 |
| Red Hat OpenShift 2.x | EAP 6.x and EWS 2.1 / JWS 3.x RPM updates in this table will resolve this for OpenShift middleware cartridges. |
| Red Hat OpenShift/xPAAS 3.x | EAP 6.x and EWS 2.1 / JWS 3.x RPM updates in this table will resolve this for OpenShift middleware images. |
| Red Hat Subscription Asset Manager 1.3 | Exploitation of this issue would not result in additional access or privilege escalation by an attacker; additionally local access would be needed |
Comments