10 - RHSA-2015:2521

Executive Summary

Summary
Title	jakarta-commons-collections security update

Informations
Name	RHSA-2015:2521	First vendor Publication	2015-11-30
Vendor	RedHat	Last vendor Modification	2015-11-30
Severity (Vendor)	Important	Revision	01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch

3. Description:

The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework.

It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501)

With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property "org.apache.commons.collections.enableUnsafeSerialization" to re-enable their deserialization.

Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023

All users of jakarta-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2015-2521.html

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-502	Deserialization of Untrusted Data

CPE : Common Platform Enumeration

Type	Description	Count
Application	Redhat Data Grid cpe:2.3:a:redhat:data_grid:6.0.0:::::::*	1
Application	Redhat Jboss A-Mq cpe:2.3:a:redhat:jboss_a-mq:6.0.0:::::::*	1
Application	Redhat Jboss Bpm Suite cpe:2.3:a:redhat:jboss_bpm_suite:6.0.0:::::::*	1
Application	Redhat Jboss Data Virtualization cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:-:::::: cpe:2.3:a:redhat:jboss_data_virtualization:5.0.0:::::::*	2
Application	Redhat Jboss Enterprise Application Platform cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:::::::* cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:::::::* cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:::::::*	3
Application	Redhat Jboss Enterprise Brms Platform cpe:2.3:a:redhat:jboss_enterprise_brms_platform:6.0.0:::::::* cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:::::::*	2
Application	Redhat Jboss Enterprise Soa Platform cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:::::::*	1
Application	Redhat Jboss Enterprise Web Server cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:::::::*	1
Application	Redhat Jboss Fuse cpe:2.3:a:redhat:jboss_fuse:6.0.0:::::::*	1
Application	Redhat Jboss Fuse Service Works cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:::::::*	1
Application	Redhat Jboss Operations Network cpe:2.3:a:redhat:jboss_operations_network:3.0:::::::*	1
Application	Redhat Jboss Portal cpe:2.3:a:redhat:jboss_portal:6.0.0:::::::*	1
Application	Redhat Openshift cpe:2.3:a:redhat:openshift:3.0::::enterprise:::	1
Application	Redhat Subscription Asset Manager cpe:2.3:a:redhat:subscription_asset_manager:1.3.0:::::::*	1
Application	Redhat Xpaas cpe:2.3:a:redhat:xpaas:3.0.0:::::::*	1

Nessus® Vulnerability Scanner

Date	Description
2018-03-21	Name : The remote device is affected by multiple vulnerabilities. File : juniper_space_jsa_10838.nasl - Type : ACT_GATHER_INFO
2017-01-25	Name : A web application running on the remote host is affected by multiple vulnerab... File : mysql_enterprise_monitor_3_2_2_1075.nasl - Type : ACT_GATHER_INFO
2017-01-25	Name : A web application running on the remote host is affected by a remote code exe... File : mysql_enterprise_monitor_3_1_6_7959.nasl - Type : ACT_GATHER_INFO
2016-10-26	Name : An application server installed on the remote host is affected by multiple vu... File : oracle_weblogic_server_cpu_oct_2016.nasl - Type : ACT_GATHER_INFO
2016-05-03	Name : The remote host has a web application installed that is affected by a remote ... File : oracle_oats_cpu_apr_2016.nasl - Type : ACT_GATHER_INFO
2016-01-11	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2540.nasl - Type : ACT_GATHER_INFO
2015-12-22	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151221_jakarta_commons_collections_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2015-12-22	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2671.nasl - Type : ACT_GATHER_INFO
2015-12-22	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2671.nasl - Type : ACT_GATHER_INFO
2015-12-21	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2671.nasl - Type : ACT_GATHER_INFO
2015-12-15	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-618.nasl - Type : ACT_GATHER_INFO
2015-12-10	Name : The remote JBoss server is affected by multiple remote code execution vulnera... File : jboss_java_serialize.nasl - Type : ACT_ATTACK
2015-12-04	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2542.nasl - Type : ACT_GATHER_INFO
2015-12-04	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2539.nasl - Type : ACT_GATHER_INFO
2015-12-04	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2538.nasl - Type : ACT_GATHER_INFO
2015-12-04	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2015-2536.nasl - Type : ACT_GATHER_INFO
2015-12-04	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2535.nasl - Type : ACT_GATHER_INFO
2015-12-03	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2522.nasl - Type : ACT_GATHER_INFO
2015-12-03	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2521.nasl - Type : ACT_GATHER_INFO
2015-12-02	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2522.nasl - Type : ACT_GATHER_INFO
2015-12-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151130_jakarta_commons_collections_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2015-12-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151130_apache_commons_collections_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2015-12-01	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2522.nasl - Type : ACT_GATHER_INFO
2015-12-01	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2521.nasl - Type : ACT_GATHER_INFO
2015-11-30	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2521.nasl - Type : ACT_GATHER_INFO
2015-11-24	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2015-2500.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2018-01-05 09:26:23	Multiple Updates
2015-12-05 13:28:36	Multiple Updates
2015-12-04 13:26:29	Multiple Updates
2015-12-01 13:26:35	Multiple Updates
2015-11-30 21:24:40	First insertion

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	19
Nessus® Exploit(s)	26

	Related
9.8	CVE-2015-7501
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)

10 - RHSA-2015:2521

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

CPE : Common Platform Enumeration

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU