ID CVE-2015-7501
Summary Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:data_grid:6.0.0
    cpe:2.3:a:redhat:data_grid:6.0.0
  • Red Hat JBoss A-MQ 6.0.0
    cpe:2.3:a:redhat:jboss_a-mq:6.0.0
  • RedHat JBoss BPM Suite 6.0.0
    cpe:2.3:a:redhat:jboss_bpm_suite:6.0.0
  • cpe:2.3:a:redhat:jboss_data_virtualization:5.0.0
    cpe:2.3:a:redhat:jboss_data_virtualization:5.0.0
  • Redhat JBoss Data Virtualization 6.0.0
    cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0
  • Red Hat JBoss Enterprise Application Platform 4.3.0
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0
  • Red Hat JBoss Enterprise Application Platform (EAP) 5.0.0
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0
  • Red Hat JBoss Enterprise Application Platform (EAP) 6.0.0
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0
  • RedHat JBoss Enterprise BRMS Platform 5.0.0
    cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0
  • RedHat JBoss Enterprise BRMS Platform 6.0.0
    cpe:2.3:a:redhat:jboss_enterprise_brms_platform:6.0.0
  • Red Hat JBOSS Enterprise SOA Platform 5.0.0
    cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0
  • cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0
    cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0
  • Red Hat JBoss Fuse 6.0.0
    cpe:2.3:a:redhat:jboss_fuse:6.0.0
  • Red Hat JBoss Fuse Service Works 6.0 (6)
    cpe:2.3:a:redhat:jboss_fuse_service_works:6.0
  • RedHat JBoss Operations Network (aka JON or JBoss ON) 3.0
    cpe:2.3:a:redhat:jboss_operations_network:3.0
  • cpe:2.3:a:redhat:jboss_portal:6.0.0
    cpe:2.3:a:redhat:jboss_portal:6.0.0
  • RedHat OpenShift 3.0 Enterprise Edition
    cpe:2.3:a:redhat:openshift:3.0:-:-:-:enterprise
  • Red Hat Subscription Asset Manager 1.3.0
    cpe:2.3:a:redhat:subscription_asset_manager:1.3.0
  • cpe:2.3:a:redhat:xpaas:3.0.0
    cpe:2.3:a:redhat:xpaas:3.0.0
CVSS
Base: 10.0
Impact:
Exploitability:
CWE CWE-502
CAPEC
nessus via4
  • NASL family Windows
    NASL id ORACLE_BI_PUBLISHER_APR_2018_CPU.NASL
    description The version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.7.x prior to 11.1.1.7.180417 or 11.1.1.9.x prior to 11.1.1.9.180417, similarly, versions 12.2.1.2.x prior to 12.2.1.2.180116 and 12.2.1.3.x prior to 12.2.1.3.180116 are affected as noted in the April 2018 Critical Patch Update advisory. The Oracle Business Intelligence Publisher installed on the remote host is affected by multiple vulnerabilities: - A vulnerability can be exploited by a remote attacker by sending a crafted serialized Java object. A successful attack would allow the attacker to execute arbitrary commands on the vulnerable server (CVE-2015-7501). - A vulnerability exists on Apache Batik before 1.9. The vulnerability would allow an attacker to send a malicious SVG file to a user. An attacker who successfully exploits this vulnerability could result in the compromise of the server (CVE-2017-5662). Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2019-01-15
    plugin id 119939
    published 2018-12-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119939
    title Oracle Business Intelligence Publisher Multiple Vulnerabilities (April 2018 CPU)
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA_10838.NASL
    description According to its self-reported version number, the remote Junos Space version is prior to 17.2R1. It is, therefore, affected by multiple vulnerabilities.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 108520
    published 2018-03-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108520
    title Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2538.NASL
    description Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87192
    published 2015-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87192
    title RHEL 5 : JBoss EAP (RHSA-2015:2538)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2540.NASL
    description Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87837
    published 2016-01-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87837
    title RHEL 7 : JBoss EAP (RHSA-2015:2540)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2671.NASL
    description Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of jakarta-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87519
    published 2015-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87519
    title RHEL 5 : jakarta-commons-collections (RHSA-2015:2671)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2671.NASL
    description Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of jakarta-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87540
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87540
    title CentOS 5 : jakarta-commons-collections (CESA-2015:2671)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151130_JAKARTA_COMMONS_COLLECTIONS_ON_SL6_X.NASL
    description It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons- collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons- collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. In the interim, the quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransformer) in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87121
    published 2015-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87121
    title Scientific Linux Security Update : jakarta-commons-collections on SL6.x (noarch)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2542.NASL
    description Updated jboss-ec2-eap packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat JBoss Enterprise Application Platform 6.4.4 on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.5. Documentation for these changes is available from the link in the References section. All jboss-ec2-eap users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87194
    published 2015-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87194
    title RHEL 6 : JBoss EAP (RHSA-2015:2542)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2536.NASL
    description Updated packages that fix one security issue for the Apache commons-collections library for Red Hat JBoss Enterprise Application Platform 6.3 are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 87191
    published 2015-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87191
    title RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2015:2536)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2539.NASL
    description Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87193
    published 2015-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87193
    title RHEL 6 : JBoss EAP (RHSA-2015:2539)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1773.NASL
    description An update is now available for Red Hat OpenShift Enterprise 2.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. * The Jenkins continuous integration server has been updated to upstream version 1.651.2 LTS that addresses a large number of security issues, including open redirects, a potential denial of service, unsafe handling of user provided environment variables and several instances of sensitive information disclosure. (CVE-2014-3577, CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, CVE-2016-3721, CVE-2016-3722, CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727, CVE-2015-7501) Space precludes documenting all of the bug fixes and enhancements in this advisory. See the OpenShift Enterprise Technical Notes, which will be updated shortly for release 2.2.10, for details about these changes : https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/ html-single/Technical_Notes/index.html All OpenShift Enterprise 2 users are advised to upgrade to these updated packages.
    last seen 2019-02-21
    modified 2019-01-28
    plugin id 119378
    published 2018-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119378
    title RHEL 6 : Red Hat OpenShift Enterprise 2.2.10 (RHSA-2016:1773)
  • NASL family Misc.
    NASL id ORACLE_WEBLOGIC_SERVER_CPU_OCT_2016.NASL
    description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the JMXInvokerServlet interface due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501) - An unspecified flaw exists in the Java Server Faces subcomponent that allows an authenticated, remote attacker to execute arbitrary code. (CVE-2016-3505) - An unspecified flaw exists in the Web Container subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-5488) - An unspecified flaw exists in the WLS-WebServices subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-5531) - An unspecified flaw that allows an unauthenticated, remote attacker to execute arbitrary code. No other details are available. (CVE-2016-5535) - An unspecified flaw exists in the CIE Related subcomponent that allows a local attacker to impact confidentiality and integrity. (CVE-2016-5601)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 94290
    published 2016-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94290
    title Oracle WebLogic Server Multiple Vulnerabilities (October 2016 CPU)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2522.NASL
    description Updated apache-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of apache-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87179
    published 2015-12-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87179
    title RHEL 7 : apache-commons-collections (RHSA-2015:2522)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151221_JAKARTA_COMMONS_COLLECTIONS_ON_SL5_X.NASL
    description It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons- collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons- collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. In the interim, the quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransformer) in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87587
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87587
    title Scientific Linux Security Update : jakarta-commons-collections on SL5.x i386/x86_64
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151130_APACHE_COMMONS_COLLECTIONS_ON_SL7_X.NASL
    description It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons- collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons- collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. In the interim, the quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransformer) in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87120
    published 2015-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87120
    title Scientific Linux Security Update : apache-commons-collections on SL7.x (noarch)
  • NASL family CGI abuses
    NASL id MYSQL_ENTERPRISE_MONITOR_3_1_6_7959.NASL
    description According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.1.x prior to 3.1.6.7959. It is, therefore, affected by a remote code execution vulnerability in the JMXInvokerServlet interface due to improper validation of Java objects before deserialization. An authenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 96768
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96768
    title MySQL Enterprise Monitor 3.1.x < 3.1.6.7959 Java Object Deserialization RCE (January 2017 CPU)
  • NASL family Misc.
    NASL id ORACLE_OATS_CPU_APR_2016.NASL
    description The version of Oracle Application Testing Suite installed on the remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted SOAP request, to execute arbitrary code on the target host.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 90859
    published 2016-05-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90859
    title Oracle Application Testing Suite Java Object Deserialization RCE (April 2016 CPU)
  • NASL family Misc.
    NASL id ORACLE_IDENTITY_MANAGEMENT_CPU_JAN_2018.NASL
    description The remote host is missing the January 2018 Critical Patch Update for Oracle Identity Manager. It is, therefore, affected by multiple vulnerabilities as described in the January 2018 critical patch update advisory.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 106140
    published 2018-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106140
    title Oracle Identity Manager Multiple Vulnerabilities (January 2018 CPU)
  • NASL family Web Servers
    NASL id ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL
    description The version of Oracle HTTP Server installed on the remote host is affected by multiple vulnerabilities as noted in the January 2018 CPU advisory.
    last seen 2019-02-21
    modified 2019-01-25
    plugin id 106299
    published 2018-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106299
    title Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2018 CPU)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2522.NASL
    description Updated apache-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of apache-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87161
    published 2015-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87161
    title CentOS 7 : apache-commons-collections (CESA-2015:2522)
  • NASL family Web Servers
    NASL id SUN_JAVA_WEB_SERVER_7_0_27.NASL
    description According to its self-reported version, the Oracle iPlanet Web Server (formerly known as Sun Java System Web Server) running on the remote host is 7.0.x prior to 7.0.27 Patch 26834070. It is, therefore, affected by an unspecified vulnerability in the Network Security Services (NSS) library with unknown impact.
    last seen 2019-02-21
    modified 2018-08-03
    plugin id 106349
    published 2018-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106349
    title Oracle iPlanet Web Server 7.0.x < 7.0.27 NSS Unspecified Vulnerability (January 2018 CPU)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2522.NASL
    description From Red Hat Security Advisory 2015:2522 : Updated apache-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of apache-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87119
    published 2015-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87119
    title Oracle Linux 7 : apache-commons-collections (ELSA-2015-2522)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2521.NASL
    description Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of jakarta-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87174
    published 2015-12-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87174
    title CentOS 6 : jakarta-commons-collections (CESA-2015:2521)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2521.NASL
    description From Red Hat Security Advisory 2015:2521 : Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of jakarta-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87118
    published 2015-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87118
    title Oracle Linux 6 : jakarta-commons-collections (ELSA-2015-2521)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-618.NASL
    description It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 87344
    published 2015-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87344
    title Amazon Linux AMI : apache-commons-collections (ALAS-2015-618)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2500.NASL
    description Updated packages for the Apache commons-collections library for Red Hat JBoss Enterprise Application Platform 6.4, which fix one security issue, are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5, 6, and 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 87044
    published 2015-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87044
    title RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2015:2500)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2671.NASL
    description From Red Hat Security Advisory 2015:2671 : Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of jakarta-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87547
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87547
    title Oracle Linux 5 : jakarta-commons-collections (ELSA-2015-2671)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2521.NASL
    description Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property 'org.apache.commons.collections.enableUnsafeSerialization' to re-enable their deserialization. Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of jakarta-commons-collections are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. All running applications using the commons-collections library must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87102
    published 2015-11-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87102
    title RHEL 6 : jakarta-commons-collections (RHSA-2015:2521)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2535.NASL
    description Updated packages for the Apache commons-collections library for Red Hat JBoss Enterprise Application Platform 5.2, which fix one security issue, are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat JBoss Enterprise Application Platform 5 is a platform for Java applications based on JBoss Application Server 6. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Enterprise Application Platform 5.2 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 87190
    published 2015-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87190
    title RHEL 5 / 6 : JBoss EAP (RHSA-2015:2535)
  • NASL family Web Servers
    NASL id JBOSS_JAVA_SERIALIZE.NASL
    description The remote JBoss server is affected by multiple remote code execution vulnerabilities : - A flaw exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. A remote attacker can exploit this issue to bypass authentication and invoke MBean methods, allowing arbitrary code to be executed in the context of the user running the server. (CVE-2012-0874) - The remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted RMI request, to execute arbitrary code on the target host. (CVE-2015-7501)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 87312
    published 2015-12-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87312
    title JBoss Java Object Deserialization RCE
  • NASL family CGI abuses
    NASL id MYSQL_ENTERPRISE_MONITOR_3_2_2_1075.NASL
    description According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.2.1075. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the bundled version of Apache Tomcat in the Manager and Host Manager web applications due to a flaw in the index page when issuing redirects in response to unauthenticated requests for the root directory of the application. An authenticated, remote attacker can exploit this to gain access to the XSRF token information stored in the index page. (CVE-2015-5351) - A remote code execution vulnerability exists in the JMXInvokerServlet interface due to improper validation of Java objects before deserialization. An authenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501) - A remote code execution vulnerability exists in the Framework subcomponent that allows an authenticated, remote attacker to execute arbitrary code. (CVE-2016-0635) - An information disclosure vulnerability exists in the bundled version of Apache Tomcat that allows a specially crafted web application to load the StatusManagerServlet. An authenticated, remote attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A remote code execution vulnerability exists in the bundled version of Apache Tomcat due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An authenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) - A security bypass vulnerability exists in the bundled version of Apache Tomcat due to a failure to consider whether ResourceLinkFactory.setGlobalContext callers are authorized. An authenticated, remote attacker can exploit this, via a web application that sets a crafted global context, to bypass intended SecurityManager restrictions and read or write to arbitrary application data or cause a denial of service condition. (CVE-2016-0763)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 96769
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96769
    title MySQL Enterprise Monitor 3.2.x < 3.2.2.1075 Multiple Vulnerabilities (January 2017 CPU)
redhat via4
advisories
  • bugzilla
    id 1279330
    title CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment jakarta-commons-collections is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521007
        • comment jakarta-commons-collections is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521008
      • AND
        • comment jakarta-commons-collections-javadoc is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521005
        • comment jakarta-commons-collections-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521006
      • AND
        • comment jakarta-commons-collections-testframework is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521009
        • comment jakarta-commons-collections-testframework is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521010
      • AND
        • comment jakarta-commons-collections-testframework-javadoc is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521011
        • comment jakarta-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521012
      • AND
        • comment jakarta-commons-collections-tomcat5 is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521013
        • comment jakarta-commons-collections-tomcat5 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521014
    rhsa
    id RHSA-2015:2521
    released 2015-11-30
    severity Important
    title RHSA-2015:2521: jakarta-commons-collections security update (Important)
  • bugzilla
    id 1279330
    title CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment apache-commons-collections is earlier than 0:3.2.1-22.el7_2
          oval oval:com.redhat.rhsa:tst:20152522007
        • comment apache-commons-collections is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152522008
      • AND
        • comment apache-commons-collections-javadoc is earlier than 0:3.2.1-22.el7_2
          oval oval:com.redhat.rhsa:tst:20152522011
        • comment apache-commons-collections-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152522012
      • AND
        • comment apache-commons-collections-testframework is earlier than 0:3.2.1-22.el7_2
          oval oval:com.redhat.rhsa:tst:20152522005
        • comment apache-commons-collections-testframework is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152522006
      • AND
        • comment apache-commons-collections-testframework-javadoc is earlier than 0:3.2.1-22.el7_2
          oval oval:com.redhat.rhsa:tst:20152522009
        • comment apache-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152522010
    rhsa
    id RHSA-2015:2522
    released 2015-11-30
    severity Important
    title RHSA-2015:2522: apache-commons-collections security update (Important)
  • bugzilla
    id 1279330
    title CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment jakarta-commons-collections is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671004
        • comment jakarta-commons-collections is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671005
      • AND
        • comment jakarta-commons-collections-javadoc is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671008
        • comment jakarta-commons-collections-javadoc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671009
      • AND
        • comment jakarta-commons-collections-testframework is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671006
        • comment jakarta-commons-collections-testframework is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671007
      • AND
        • comment jakarta-commons-collections-testframework-javadoc is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671010
        • comment jakarta-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671011
      • AND
        • comment jakarta-commons-collections-tomcat5 is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671002
        • comment jakarta-commons-collections-tomcat5 is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671003
    rhsa
    id RHSA-2015:2671
    released 2015-12-21
    severity Important
    title RHSA-2015:2671: jakarta-commons-collections security update (Important)
  • rhsa
    id RHSA-2015:2500
  • rhsa
    id RHSA-2015:2501
  • rhsa
    id RHSA-2015:2502
  • rhsa
    id RHSA-2015:2514
  • rhsa
    id RHSA-2015:2516
  • rhsa
    id RHSA-2015:2517
  • rhsa
    id RHSA-2015:2524
  • rhsa
    id RHSA-2015:2536
  • rhsa
    id RHSA-2015:2670
  • rhsa
    id RHSA-2016:0040
  • rhsa
    id RHSA-2016:1773
rpms
  • jakarta-commons-collections-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7
  • apache-commons-collections-0:3.2.1-22.el7_2
  • apache-commons-collections-javadoc-0:3.2.1-22.el7_2
  • apache-commons-collections-testframework-0:3.2.1-22.el7_2
  • apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2
  • jakarta-commons-collections-0:3.2-2jpp.4
  • jakarta-commons-collections-javadoc-0:3.2-2jpp.4
  • jakarta-commons-collections-testframework-0:3.2-2jpp.4
  • jakarta-commons-collections-testframework-javadoc-0:3.2-2jpp.4
  • jakarta-commons-collections-tomcat5-0:3.2-2jpp.4
refmap via4
bid 78215
confirm
sectrack
  • 1034097
  • 1037052
  • 1037053
  • 1037640
Last major update 09-11-2017 - 12:29
Published 09-11-2017 - 12:29
Last modified 16-10-2018 - 21:29
Back to Top