Executive Summary
Summary | |
---|---|
Title | jakarta-commons-collections security update |
Informations | |||
---|---|---|---|
Name | RHSA-2015:2671 | First vendor Publication | 2015-12-21 |
Vendor | RedHat | Last vendor Modification | 2015-12-21 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop Workstation (v. 5 client) - i386, x86_64 3. Description: The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property "org.apache.commons.collections.enableUnsafeSerialization" to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of jakarta-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2015-2671.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-502 | Deserialization of Untrusted Data |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 2 | |
Application | 3 | |
Application | 2 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2018-03-21 | Name : The remote device is affected by multiple vulnerabilities. File : juniper_space_jsa_10838.nasl - Type : ACT_GATHER_INFO |
2017-01-25 | Name : A web application running on the remote host is affected by multiple vulnerab... File : mysql_enterprise_monitor_3_2_2_1075.nasl - Type : ACT_GATHER_INFO |
2017-01-25 | Name : A web application running on the remote host is affected by a remote code exe... File : mysql_enterprise_monitor_3_1_6_7959.nasl - Type : ACT_GATHER_INFO |
2016-10-26 | Name : An application server installed on the remote host is affected by multiple vu... File : oracle_weblogic_server_cpu_oct_2016.nasl - Type : ACT_GATHER_INFO |
2016-05-03 | Name : The remote host has a web application installed that is affected by a remote ... File : oracle_oats_cpu_apr_2016.nasl - Type : ACT_GATHER_INFO |
2016-01-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2540.nasl - Type : ACT_GATHER_INFO |
2015-12-22 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151221_jakarta_commons_collections_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2015-12-22 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2671.nasl - Type : ACT_GATHER_INFO |
2015-12-22 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2671.nasl - Type : ACT_GATHER_INFO |
2015-12-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2671.nasl - Type : ACT_GATHER_INFO |
2015-12-15 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-618.nasl - Type : ACT_GATHER_INFO |
2015-12-10 | Name : The remote JBoss server is affected by multiple remote code execution vulnera... File : jboss_java_serialize.nasl - Type : ACT_ATTACK |
2015-12-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2542.nasl - Type : ACT_GATHER_INFO |
2015-12-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2539.nasl - Type : ACT_GATHER_INFO |
2015-12-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2538.nasl - Type : ACT_GATHER_INFO |
2015-12-04 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2015-2536.nasl - Type : ACT_GATHER_INFO |
2015-12-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2535.nasl - Type : ACT_GATHER_INFO |
2015-12-03 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2522.nasl - Type : ACT_GATHER_INFO |
2015-12-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2521.nasl - Type : ACT_GATHER_INFO |
2015-12-02 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2522.nasl - Type : ACT_GATHER_INFO |
2015-12-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151130_jakarta_commons_collections_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2015-12-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151130_apache_commons_collections_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2015-12-01 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2522.nasl - Type : ACT_GATHER_INFO |
2015-12-01 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2521.nasl - Type : ACT_GATHER_INFO |
2015-11-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2521.nasl - Type : ACT_GATHER_INFO |
2015-11-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2015-2500.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2018-01-05 09:26:23 |
|
2015-12-23 13:26:08 |
|
2015-12-22 13:25:34 |
|
2015-12-21 09:23:16 |
|