ID CVE-2015-7501
Summary Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:data_grid:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:data_grid:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_bpm_suite:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_bpm_suite:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_data_virtualization:5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_data_virtualization:5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_brms_platform:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_brms_platform:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_portal:6.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_portal:6.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*
    cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*
  • cpe:2.3:a:redhat:subscription_asset_manager:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:subscription_asset_manager:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:xpaas:3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:xpaas:3.0.0:*:*:*:*:*:*:*
CVSS
Base: 10.0 (as of 17-10-2018 - 01:29)
Impact:
Exploitability:
CWE CWE-502
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:N/C:C/I:C/A:C
redhat via4
advisories
  • bugzilla
    id 1279330
    title CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment jakarta-commons-collections is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521007
        • comment jakarta-commons-collections is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521008
      • AND
        • comment jakarta-commons-collections-javadoc is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521005
        • comment jakarta-commons-collections-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521006
      • AND
        • comment jakarta-commons-collections-testframework is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521009
        • comment jakarta-commons-collections-testframework is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521010
      • AND
        • comment jakarta-commons-collections-testframework-javadoc is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521011
        • comment jakarta-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521012
      • AND
        • comment jakarta-commons-collections-tomcat5 is earlier than 0:3.2.1-3.5.el6_7
          oval oval:com.redhat.rhsa:tst:20152521013
        • comment jakarta-commons-collections-tomcat5 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152521014
    rhsa
    id RHSA-2015:2521
    released 2015-11-30
    severity Important
    title RHSA-2015:2521: jakarta-commons-collections security update (Important)
  • bugzilla
    id 1279330
    title CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment apache-commons-collections is earlier than 0:3.2.1-22.el7_2
          oval oval:com.redhat.rhsa:tst:20152522007
        • comment apache-commons-collections is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152522008
      • AND
        • comment apache-commons-collections-javadoc is earlier than 0:3.2.1-22.el7_2
          oval oval:com.redhat.rhsa:tst:20152522011
        • comment apache-commons-collections-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152522012
      • AND
        • comment apache-commons-collections-testframework is earlier than 0:3.2.1-22.el7_2
          oval oval:com.redhat.rhsa:tst:20152522005
        • comment apache-commons-collections-testframework is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152522006
      • AND
        • comment apache-commons-collections-testframework-javadoc is earlier than 0:3.2.1-22.el7_2
          oval oval:com.redhat.rhsa:tst:20152522009
        • comment apache-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20152522010
    rhsa
    id RHSA-2015:2522
    released 2015-11-30
    severity Important
    title RHSA-2015:2522: apache-commons-collections security update (Important)
  • bugzilla
    id 1279330
    title CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment jakarta-commons-collections is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671004
        • comment jakarta-commons-collections is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671005
      • AND
        • comment jakarta-commons-collections-javadoc is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671008
        • comment jakarta-commons-collections-javadoc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671009
      • AND
        • comment jakarta-commons-collections-testframework is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671006
        • comment jakarta-commons-collections-testframework is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671007
      • AND
        • comment jakarta-commons-collections-testframework-javadoc is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671010
        • comment jakarta-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671011
      • AND
        • comment jakarta-commons-collections-tomcat5 is earlier than 0:3.2-2jpp.4
          oval oval:com.redhat.rhsa:tst:20152671002
        • comment jakarta-commons-collections-tomcat5 is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20152671003
    rhsa
    id RHSA-2015:2671
    released 2015-12-21
    severity Important
    title RHSA-2015:2671: jakarta-commons-collections security update (Important)
  • rhsa
    id RHSA-2015:2500
  • rhsa
    id RHSA-2015:2501
  • rhsa
    id RHSA-2015:2502
  • rhsa
    id RHSA-2015:2514
  • rhsa
    id RHSA-2015:2516
  • rhsa
    id RHSA-2015:2517
  • rhsa
    id RHSA-2015:2524
  • rhsa
    id RHSA-2015:2536
  • rhsa
    id RHSA-2015:2670
  • rhsa
    id RHSA-2016:0040
  • rhsa
    id RHSA-2016:1773
rpms
  • jakarta-commons-collections-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7
  • apache-commons-collections-0:3.2.1-22.el7_2
  • apache-commons-collections-javadoc-0:3.2.1-22.el7_2
  • apache-commons-collections-testframework-0:3.2.1-22.el7_2
  • apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2
  • jakarta-commons-collections-0:3.2-2jpp.4
  • jakarta-commons-collections-javadoc-0:3.2-2jpp.4
  • jakarta-commons-collections-testframework-0:3.2-2jpp.4
  • jakarta-commons-collections-testframework-javadoc-0:3.2-2jpp.4
  • jakarta-commons-collections-tomcat5-0:3.2-2jpp.4
refmap via4
bid 78215
confirm
sectrack
  • 1034097
  • 1037052
  • 1037053
  • 1037640
Last major update 17-10-2018 - 01:29
Published 09-11-2017 - 17:29
Back to Top