Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-7501 (GCVE-0-2015-7501)
Vulnerability from cvelistv5 – Published: 2017-11-09 00:00 – Updated: 2024-08-06 07:51
VLAI
EPSS
EUVD KEV
Summary
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Severity
9.8 (Critical)
CWE
- n/a
Assigner
References
28 references
Date Public
2015-11-06 00:00
EUVD KEV
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 92514a5f-cc46-4260-98b3-291e440cf8b8
Exploited: Yes
Timestamps
First Seen: 2025-07-14
Asserted: 2025-07-14
Scope
Notes: Affected: Apache / Commons Collections library | Description: the system accepts serialized objects without verifying their origin or reliability allowing an attacker to send specially crafted payloads that are then deserialized and executed | Origin source: CERT Italia | Notes: https://www.acn.gov.it/portale/w/distribuzione-di-payload-malevoli-tramite-vulnerabilita-note
Evidence
Type: Csirt Report
Signal: Successful Exploitation
Confidence: 75%
Source: enisa-cnw-kev
Details
| Cwes | - |
|---|---|
| Euvd | EUVD-2022-3799 |
| Notes | https://www.acn.gov.it/portale/w/distribuzione-di-payload-malevoli-tramite-vulnerabilita-note |
| Catalog | ENISA / EU CSIRTs Network (CNW) KEV CSV |
| Product | Commons Collections library |
| Datereported | 14/07/25 |
| Originsource | CERT Italia |
| Vendorproject | Apache |
| Exploitationtype | - |
| Vulnerabilityname | - |
| Threatactorsexploiting | - |
References
Created: 2026-02-02 12:25 UTC
| Updated: 2026-02-06 07:17 UTC
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:51:28.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2016:0040",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0040.html"
},
{
"name": "RHSA-2015:2670",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2670.html"
},
{
"name": "RHSA-2015:2501",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2501.html"
},
{
"name": "RHSA-2015:2517",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2517.html"
},
{
"name": "78215",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/78215"
},
{
"name": "1034097",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034097"
},
{
"name": "RHSA-2015:2671",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2671.html"
},
{
"name": "1037052",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037052"
},
{
"name": "1037640",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037640"
},
{
"name": "RHSA-2015:2522",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2522.html"
},
{
"name": "RHSA-2015:2521",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2521.html"
},
{
"name": "RHSA-2015:2516",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2516.html"
},
{
"name": "RHSA-2015:2500",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2500.html"
},
{
"name": "RHSA-2015:2514",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2514.html"
},
{
"name": "RHSA-2015:2502",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2502.html"
},
{
"name": "RHSA-2015:2536",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://rhn.redhat.com/errata/RHSA-2015-2536.html"
},
{
"name": "RHSA-2016:1773",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
},
{
"name": "RHSA-2015:2524",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2524.html"
},
{
"name": "1037053",
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1037053"
},
{
"tags": [
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/solutions/2045023"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/vulnerabilities/2059393"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240216-0010/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-16T13:06:08.221Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2016:0040",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0040.html"
},
{
"name": "RHSA-2015:2670",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2670.html"
},
{
"name": "RHSA-2015:2501",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2501.html"
},
{
"name": "RHSA-2015:2517",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2517.html"
},
{
"name": "78215",
"tags": [
"vdb-entry"
],
"url": "http://www.securityfocus.com/bid/78215"
},
{
"name": "1034097",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1034097"
},
{
"name": "RHSA-2015:2671",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2671.html"
},
{
"name": "1037052",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1037052"
},
{
"name": "1037640",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1037640"
},
{
"name": "RHSA-2015:2522",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2522.html"
},
{
"name": "RHSA-2015:2521",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2521.html"
},
{
"name": "RHSA-2015:2516",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2516.html"
},
{
"name": "RHSA-2015:2500",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2500.html"
},
{
"name": "RHSA-2015:2514",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2514.html"
},
{
"name": "RHSA-2015:2502",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2502.html"
},
{
"name": "RHSA-2015:2536",
"tags": [
"vendor-advisory"
],
"url": "https://rhn.redhat.com/errata/RHSA-2015-2536.html"
},
{
"name": "RHSA-2016:1773",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html"
},
{
"name": "RHSA-2015:2524",
"tags": [
"vendor-advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2015-2524.html"
},
{
"name": "1037053",
"tags": [
"vdb-entry"
],
"url": "http://www.securitytracker.com/id/1037053"
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"url": "https://access.redhat.com/solutions/2045023"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"url": "https://access.redhat.com/security/vulnerabilities/2059393"
},
{
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240216-0010/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2015-7501",
"datePublished": "2017-11-09T00:00:00.000Z",
"dateReserved": "2015-09-29T00:00:00.000Z",
"dateUpdated": "2024-08-06T07:51:28.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"cnw_known_exploited": {
"CVE": "CVE-2015-7501",
"EUVD": "EUVD-2022-3799",
"cwes": "-",
"dateReported": "14/07/25",
"exploitationType": "-",
"notes": "https://www.acn.gov.it/portale/w/distribuzione-di-payload-malevoli-tramite-vulnerabilita-note",
"originSource": "CERT Italia",
"product": "Commons Collections library",
"shortDescription": "the system accepts serialized objects without verifying their origin or reliability allowing an attacker to send specially crafted payloads that are then deserialized and executed",
"threatActorsExploiting": "-",
"vendorProject": "Apache",
"vulnerabilityName": "-"
},
"epss": {
"cve": "CVE-2015-7501",
"date": "2026-06-02",
"epss": "0.71461",
"percentile": "0.98746"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:data_grid:6.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D90858CA-996D-4A07-A57A-5E228BBED442\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"33C4404A-CFB7-4B47-9487-F998825C31CA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_bpm_suite:6.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7750C45E-4D02-45D5-A3AA-CF024C20AC8D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_data_virtualization:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3257F51A-C847-4251-8B1B-D8DEF11677A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5CDDAFDB-E67A-4795-B2C4-C2D31734ABC8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E82B2AD8-967D-4ABE-982B-87B9DE73F8D6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F5D7F1AD-4BD3-4C37-B6B5-B287464B2EEB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B142ACCC-F7A9-4A3B-BE60-0D6691D5058D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9CDC2527-97FE-409D-8DD6-78E085CC73C2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:6.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FA0930C5-C483-414C-879D-029FDE8251C6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DFB8FED0-E0C6-409C-A2D8-B3999265D545\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8E2F2F98-DB90-43F6-8F28-3656207B6188\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A305F012-544E-4245-9D69-1C8CD37748B1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3B78438D-1321-4BF4-AEB1-DAF60D589530\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C077D692-150C-4AE9-8C0B-7A3EA5EB1100\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_portal:6.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E5C01A82-F078-4D08-93D0-6318272D3D8F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*\", \"matchCriteriaId\": \"45690263-84D9-45A1-8C30-3ED2F0F11F47\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:subscription_asset_manager:1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6047BC2A-5EDB-458F-BBDB-38C0C3CF4E7C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:xpaas:3.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F58B1F3C-C27D-4387-9164-C3E2E0960A2A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.\"}, {\"lang\": \"es\", \"value\": \"Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x y 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x y 5.x; Enterprise Application Platform 6.x, 5.x y 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x y Red Hat Subscription Asset Manager 1.3 permiten que atacantes remotos ejecuten comandos arbitrarios mediante un objeto Java serializado manipulado. Esto est\\u00e1 relacionado con la librer\\u00eda ACC (Apache Commons Collections).\"}]",
"id": "CVE-2015-7501",
"lastModified": "2024-11-21T02:36:53.193",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 10.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 10.0, \"acInsufInfo\": true, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2017-11-09T17:29:00.203",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2500.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2501.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2502.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2514.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2516.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2517.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2521.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2522.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2524.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2670.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2671.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-0040.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1773.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/78215\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1034097\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1037052\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1037053\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1037640\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/security/vulnerabilities/2059393\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://access.redhat.com/solutions/2045023\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1279330\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\", \"VDB Entry\", \"Vendor Advisory\"]}, {\"url\": \"https://rhn.redhat.com/errata/RHSA-2015-2536.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240216-0010/\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2500.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2501.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2502.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2514.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2516.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2517.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2521.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2522.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2524.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2670.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-2671.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-0040.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-1773.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/78215\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1034097\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1037052\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1037053\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1037640\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/security/vulnerabilities/2059393\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://access.redhat.com/solutions/2045023\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1279330\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\", \"VDB Entry\", \"Vendor Advisory\"]}, {\"url\": \"https://rhn.redhat.com/errata/RHSA-2015-2536.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240216-0010/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2015-7501\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2017-11-09T17:29:00.203\",\"lastModified\":\"2026-05-13T00:24:29.033\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.\"},{\"lang\":\"es\",\"value\":\"Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x y 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x y 5.x; Enterprise Application Platform 6.x, 5.x y 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x y Red Hat Subscription Asset Manager 1.3 permiten que atacantes remotos ejecuten comandos arbitrarios mediante un objeto Java serializado manipulado. Esto est\u00e1 relacionado con la librer\u00eda ACC (Apache Commons Collections).\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":10.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:data_grid:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D90858CA-996D-4A07-A57A-5E228BBED442\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"33C4404A-CFB7-4B47-9487-F998825C31CA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_bpm_suite:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7750C45E-4D02-45D5-A3AA-CF024C20AC8D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_data_virtualization:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3257F51A-C847-4251-8B1B-D8DEF11677A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CDDAFDB-E67A-4795-B2C4-C2D31734ABC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E82B2AD8-967D-4ABE-982B-87B9DE73F8D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5D7F1AD-4BD3-4C37-B6B5-B287464B2EEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B142ACCC-F7A9-4A3B-BE60-0D6691D5058D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9CDC2527-97FE-409D-8DD6-78E085CC73C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_brms_platform:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA0930C5-C483-414C-879D-029FDE8251C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DFB8FED0-E0C6-409C-A2D8-B3999265D545\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8E2F2F98-DB90-43F6-8F28-3656207B6188\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A305F012-544E-4245-9D69-1C8CD37748B1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B78438D-1321-4BF4-AEB1-DAF60D589530\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C077D692-150C-4AE9-8C0B-7A3EA5EB1100\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_portal:6.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E5C01A82-F078-4D08-93D0-6318272D3D8F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"45690263-84D9-45A1-8C30-3ED2F0F11F47\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:subscription_asset_manager:1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6047BC2A-5EDB-458F-BBDB-38C0C3CF4E7C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:xpaas:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F58B1F3C-C27D-4387-9164-C3E2E0960A2A\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2500.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2501.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2502.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2514.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2516.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2517.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2521.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2522.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2524.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2670.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2671.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0040.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-1773.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/78215\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1034097\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1037052\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1037053\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1037640\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/security/vulnerabilities/2059393\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/solutions/2045023\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1279330\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\",\"VDB Entry\",\"Vendor Advisory\"]},{\"url\":\"https://rhn.redhat.com/errata/RHSA-2015-2536.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240216-0010/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2500.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2501.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2502.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2514.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2516.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2517.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2521.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2522.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2524.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2670.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-2671.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0040.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-1773.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/78215\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1034097\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1037052\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1037053\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1037640\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/security/vulnerabilities/2059393\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/solutions/2045023\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1279330\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\",\"VDB Entry\",\"Vendor Advisory\"]},{\"url\":\"https://rhn.redhat.com/errata/RHSA-2015-2536.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240216-0010/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
RHSA-2015_2514
Vulnerability from csaf_redhat - Published: 2015-11-24 18:03 - Updated: 2024-12-15 18:41Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Severity
Critical
Notes
Topic: Updated packages for the Apache commons-collections library, which fix one
security issue, are now available for Red Hat JBoss Enterprise Application
Platform 5.2, 5.1.2, and 4.3.10.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Red Hat JBoss Enterprise Application Platform is a platform for Java
applications based on JBoss Application Server.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of Red Hat JBoss Enterprise Application Platform 5.2, 5.1.2, and
4.3.10 are advised to upgrade to these updated packages. The JBoss server
process must be restarted for the update to take effect.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 ()
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Enterprise Application Platform 4.3
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:4.3
|
— |
Vendor Fix
fix
|
|
Red Hat JBoss Enterprise Application Platform 5.1
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:5.1
|
— |
Vendor Fix
fix
|
|
Red Hat JBoss Enterprise Application Platform 5.2
Red Hat / Red Hat JBoss Enterprise Application Platform
|
cpe:/a:redhat:jboss_enterprise_application_platform:5.2
|
— |
Vendor Fix
fix
|
Threats
Impact
Critical
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated packages for the Apache commons-collections library, which fix one\nsecurity issue, are now available for Red Hat JBoss Enterprise Application\nPlatform 5.2, 5.1.2, and 4.3.10.\n\nRed Hat Product Security has rated this update as having Critical security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform is a platform for Java\napplications based on JBoss Application Server.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of Red Hat JBoss Enterprise Application Platform 5.2, 5.1.2, and\n4.3.10 are advised to upgrade to these updated packages. The JBoss server\nprocess must be restarted for the update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2514",
"url": "https://access.redhat.com/errata/RHSA-2015:2514"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.1.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=5.1.2"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=appplatform\u0026version=4.3.0.GA_CP10"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2514.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update",
"tracking": {
"current_release_date": "2024-12-15T18:41:49+00:00",
"generator": {
"date": "2024-12-15T18:41:49+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2514",
"initial_release_date": "2015-11-24T18:03:01+00:00",
"revision_history": [
{
"date": "2015-11-24T18:03:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-11-24T18:03:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:41:49+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_id": "Red Hat JBoss Enterprise Application Platform 4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5.1",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5.1",
"product_id": "Red Hat JBoss Enterprise Application Platform 5.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_id": "Red Hat JBoss Enterprise Application Platform 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.1",
"Red Hat JBoss Enterprise Application Platform 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-24T18:03:01+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.1",
"Red Hat JBoss Enterprise Application Platform 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2514"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Enterprise Application Platform 4.3",
"Red Hat JBoss Enterprise Application Platform 5.1",
"Red Hat JBoss Enterprise Application Platform 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
RHSA-2015_2516
Vulnerability from csaf_redhat - Published: 2015-11-25 20:37 - Updated: 2024-12-15 18:41Summary
Red Hat Security Advisory: Red Hat JBoss SOA Platform 5.3.1 commons-collections security update
Severity
Critical
Notes
Topic: An update for the Apache Commons Collections component that fixes one
security issue is now available from the Red Hat Customer Portal for Red
Hat JBoss SOA Platform 5.3.1.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Apache Commons Collections is a library built upon Java JDK classes by
providing new interfaces, implementations and utilities.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of Red Hat JBoss SOA Platform 5.3.1 as provided from the Red Hat
Customer Portal are advised to apply this security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss SOA Platform 5.3
Red Hat / Red Hat JBoss SOA Platform
|
cpe:/a:redhat:jboss_enterprise_soa_platform:5.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Critical
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the Apache Commons Collections component that fixes one\nsecurity issue is now available from the Red Hat Customer Portal for Red\nHat JBoss SOA Platform 5.3.1.\n\nRed Hat Product Security has rated this update as having Critical security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Commons Collections is a library built upon Java JDK classes by\nproviding new interfaces, implementations and utilities.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of Red Hat JBoss SOA Platform 5.3.1 as provided from the Red Hat\nCustomer Portal are advised to apply this security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2516",
"url": "https://access.redhat.com/errata/RHSA-2015:2516"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform\u0026downloadType=securityPatches\u0026version=5.3.1+GA"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2516.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss SOA Platform 5.3.1 commons-collections security update",
"tracking": {
"current_release_date": "2024-12-15T18:41:27+00:00",
"generator": {
"date": "2024-12-15T18:41:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2516",
"initial_release_date": "2015-11-25T20:37:38+00:00",
"revision_history": [
{
"date": "2015-11-25T20:37:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:37:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:41:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss SOA Platform 5.3",
"product": {
"name": "Red Hat JBoss SOA Platform 5.3",
"product_id": "Red Hat JBoss SOA Platform 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss SOA Platform"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss SOA Platform 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-25T20:37:38+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting Red Hat JBoss SOA Platform installation (including its databases,\napplications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss SOA Platform server\nby stopping the JBoss Application Server process before installing this\nupdate, and then after installing the update, restart the Red Hat JBoss SOA\nPlatform server by starting the JBoss Application Server process.",
"product_ids": [
"Red Hat JBoss SOA Platform 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2516"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss SOA Platform 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
RHSA-2015_2517
Vulnerability from csaf_redhat - Published: 2015-11-25 20:56 - Updated: 2024-12-15 18:41Summary
Red Hat Security Advisory: Red Hat Fuse Service Works 6.0.0 commons-collections security update
Severity
Critical
Notes
Topic: An update for the Apache Commons Collections component that fixes one
security issue is now available from the Red Hat Customer Portal for Red
Hat Fuse Service Works 6.0.0.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Apache Commons Collections is a library built upon Java JDK classes by
providing new interfaces, implementations and utilities.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Fuse Service Works 6.0
Red Hat / Red Hat JBoss Fuse Service Works
|
cpe:/a:redhat:jboss_fuse_service_works:6.0
|
— |
Vendor Fix
fix
|
Threats
Impact
Critical
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the Apache Commons Collections component that fixes one\nsecurity issue is now available from the Red Hat Customer Portal for Red\nHat Fuse Service Works 6.0.0.\n\nRed Hat Product Security has rated this update as having Critical security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Commons Collections is a library built upon Java JDK classes by\nproviding new interfaces, implementations and utilities.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2517",
"url": "https://access.redhat.com/errata/RHSA-2015:2517"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks\u0026downloadType=securityPatches\u0026version=6.0.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks\u0026downloadType=securityPatches\u0026version=6.0.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2517.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Fuse Service Works 6.0.0 commons-collections security update",
"tracking": {
"current_release_date": "2024-12-15T18:41:33+00:00",
"generator": {
"date": "2024-12-15T18:41:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2517",
"initial_release_date": "2015-11-25T20:56:18+00:00",
"revision_history": [
{
"date": "2015-11-25T20:56:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:36:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:41:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Fuse Service Works 6.0",
"product": {
"name": "Red Hat JBoss Fuse Service Works 6.0",
"product_id": "Red Hat JBoss Fuse Service Works 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse Service Works"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Fuse Service Works 6.0"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-25T20:56:18+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Fuse Service Works 6.0"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2517"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Fuse Service Works 6.0"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
RHSA-2015_2521
Vulnerability from csaf_redhat - Published: 2015-11-30 04:40 - Updated: 2024-12-15 18:41Summary
Red Hat Security Advisory: jakarta-commons-collections security update
Severity
Important
Notes
Topic: Updated jakarta-commons-collections packages that fix one security issue
are now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: The Jakarta/Apache Commons Collections library provides new interfaces,
implementations, and utilities to extend the features of the Java
Collections Framework.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that require
those classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of jakarta-commons-collections are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
All running applications using the commons-collections library must be
restarted for the update to take effect.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 ()
Affected products
Fixed
36 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Client-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Client-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Client-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Client-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6ComputeNode-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6ComputeNode-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Critical
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated jakarta-commons-collections packages that fix one security issue\nare now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Jakarta/Apache Commons Collections library provides new interfaces,\nimplementations, and utilities to extend the features of the Java\nCollections Framework.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nWith this update, deserialization of certain classes in the\ncommons-collections library is no longer allowed. Applications that require\nthose classes to be deserialized can use the system property\n\"org.apache.commons.collections.enableUnsafeSerialization\" to re-enable\ntheir deserialization.\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of jakarta-commons-collections are advised to upgrade to these\nupdated packages, which contain a backported patch to correct this issue.\nAll running applications using the commons-collections library must be\nrestarted for the update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2521",
"url": "https://access.redhat.com/errata/RHSA-2015:2521"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2521.json"
}
],
"title": "Red Hat Security Advisory: jakarta-commons-collections security update",
"tracking": {
"current_release_date": "2024-12-15T18:41:38+00:00",
"generator": {
"date": "2024-12-15T18:41:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2521",
"initial_release_date": "2015-11-30T04:40:14+00:00",
"revision_history": [
{
"date": "2015-11-30T04:40:14+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-11-30T04:40:14+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:41:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.7.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.7.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.7.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.7.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.7.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.7.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"product": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"product_id": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections@3.2.1-3.5.el6_7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"product": {
"name": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"product_id": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections-javadoc@3.2.1-3.5.el6_7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"product": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"product_id": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections@3.2.1-3.5.el6_7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"product": {
"name": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"product_id": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections-testframework@3.2.1-3.5.el6_7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"product": {
"name": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"product_id": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections-testframework-javadoc@3.2.1-3.5.el6_7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"product": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"product_id": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections-tomcat5@3.2.1-3.5.el6_7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Client-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"relates_to_product_reference": "6Client-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Client-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Client-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Client-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Client-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"relates_to_product_reference": "6ComputeNode-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"relates_to_product_reference": "6Server-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"relates_to_product_reference": "6Server-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Server-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"relates_to_product_reference": "6Workstation-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"relates_to_product_reference": "6Workstation-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-optional-6.7.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"relates_to_product_reference": "6Workstation-optional-6.7.z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Client-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Server-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Server-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Workstation-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Workstation-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-30T04:40:14+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Client-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Server-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Server-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Workstation-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Workstation-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2521"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Client-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Client-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6ComputeNode-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Server-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Server-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Server-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Workstation-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-0:3.2.1-3.5.el6_7.src",
"6Workstation-optional-6.7.z:jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7.noarch",
"6Workstation-optional-6.7.z:jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
RHSA-2015_2522
Vulnerability from csaf_redhat - Published: 2015-11-30 14:19 - Updated: 2024-12-15 18:41Summary
Red Hat Security Advisory: apache-commons-collections security update
Severity
Important
Notes
Topic: Updated apache-commons-collections packages that fix one security issue are
now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: The Apache Commons Collections library provides new interfaces,
implementations, and utilities to extend the features of the Java
Collections Framework.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that require
those classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of apache-commons-collections are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
All running applications using the commons-collections library must be
restarted for the update to take effect.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 ()
Affected products
Fixed
30 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Client-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Client-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Client-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Critical
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated apache-commons-collections packages that fix one security issue are\nnow available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache Commons Collections library provides new interfaces,\nimplementations, and utilities to extend the features of the Java\nCollections Framework.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nWith this update, deserialization of certain classes in the\ncommons-collections library is no longer allowed. Applications that require\nthose classes to be deserialized can use the system property\n\"org.apache.commons.collections.enableUnsafeSerialization\" to re-enable\ntheir deserialization.\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of apache-commons-collections are advised to upgrade to these\nupdated packages, which contain a backported patch to correct this issue.\nAll running applications using the commons-collections library must be\nrestarted for the update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2522",
"url": "https://access.redhat.com/errata/RHSA-2015:2522"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2522.json"
}
],
"title": "Red Hat Security Advisory: apache-commons-collections security update",
"tracking": {
"current_release_date": "2024-12-15T18:41:43+00:00",
"generator": {
"date": "2024-12-15T18:41:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2522",
"initial_release_date": "2015-11-30T14:19:35+00:00",
"revision_history": [
{
"date": "2015-11-30T14:19:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-11-30T14:19:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:41:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.2.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.2.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.2.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.2.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.2.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.2.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"product": {
"name": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"product_id": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections-testframework@3.2.1-22.el7_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"product": {
"name": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"product_id": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections-testframework-javadoc@3.2.1-22.el7_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"product": {
"name": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"product_id": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections-javadoc@3.2.1-22.el7_2?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"product": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"product_id": "apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections@3.2.1-22.el7_2?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-collections-0:3.2.1-22.el7_2.src",
"product": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.src",
"product_id": "apache-commons-collections-0:3.2.1-22.el7_2.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections@3.2.1-22.el7_2?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Client-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.src",
"relates_to_product_reference": "7Client-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Client-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Client-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Client-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.src",
"relates_to_product_reference": "7ComputeNode-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Server-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.src",
"relates_to_product_reference": "7Server-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Server-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Server-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Server-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Server-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.src",
"relates_to_product_reference": "7Server-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Server-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Server-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Server-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Workstation-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.src",
"relates_to_product_reference": "7Workstation-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Workstation-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Workstation-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Workstation-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Workstation-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-0:3.2.1-22.el7_2.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src"
},
"product_reference": "apache-commons-collections-0:3.2.1-22.el7_2.src",
"relates_to_product_reference": "7Workstation-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Workstation-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Workstation-optional-7.2.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch"
},
"product_reference": "apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"relates_to_product_reference": "7Workstation-optional-7.2.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Client-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Client-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Client-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Server-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Server-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Workstation-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Workstation-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-30T14:19:35+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Client-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Client-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Client-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Server-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Server-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Workstation-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Workstation-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2522"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Client-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Client-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Client-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Client-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7ComputeNode-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Server-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Server-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Server-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Server-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Workstation-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Workstation-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-0:3.2.1-22.el7_2.src",
"7Workstation-optional-7.2.Z:apache-commons-collections-javadoc-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-testframework-0:3.2.1-22.el7_2.noarch",
"7Workstation-optional-7.2.Z:apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
RHSA-2015_2523
Vulnerability from csaf_redhat - Published: 2015-11-30 08:19 - Updated: 2024-12-15 18:41Summary
Red Hat Security Advisory: rh-java-common-apache-commons-collections security update
Severity
Important
Notes
Topic: Updated rh-java-common-apache-commons-collections packages which fix one
security issue are now available for Red Hat Software Collections 2.
Red Hat Product Security has rated this update as having Important security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: The Apache Commons Collections library provides new interfaces,
implementations, and utilities to extend the features of the Java
Collections Framework.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that require
those classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of rh-java-common-apache-commons-collections are advised to
upgrade to these updated packages, which contain a backported patch to
correct this issue. All running applications using the commons-collections
library must be restarted for the update to take effect.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 (High)
Affected products
Fixed
35 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated rh-java-common-apache-commons-collections packages which fix one\nsecurity issue are now available for Red Hat Software Collections 2.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Apache Commons Collections library provides new interfaces,\nimplementations, and utilities to extend the features of the Java\nCollections Framework.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nWith this update, deserialization of certain classes in the\ncommons-collections library is no longer allowed. Applications that require\nthose classes to be deserialized can use the system property\n\"org.apache.commons.collections.enableUnsafeSerialization\" to re-enable\ntheir deserialization.\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of rh-java-common-apache-commons-collections are advised to\nupgrade to these updated packages, which contain a backported patch to\ncorrect this issue. All running applications using the commons-collections\nlibrary must be restarted for the update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2523",
"url": "https://access.redhat.com/errata/RHSA-2015:2523"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2523.json"
}
],
"title": "Red Hat Security Advisory: rh-java-common-apache-commons-collections security update",
"tracking": {
"current_release_date": "2024-12-15T18:41:54+00:00",
"generator": {
"date": "2024-12-15T18:41:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2523",
"initial_release_date": "2015-11-30T08:19:52+00:00",
"revision_history": [
{
"date": "2015-11-30T08:19:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-11-30T08:19:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:41:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1)",
"product_id": "7Server-RHSCL-2.1-7.1.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6)",
"product_id": "6Server-RHSCL-2.1-6.6.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.1-6.7.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"product": {
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"product_id": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections-testframework-javadoc@3.2.1-21.13.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"product": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"product_id": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections@3.2.1-21.13.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"product": {
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"product_id": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections-javadoc@3.2.1-21.13.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"product": {
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"product_id": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections-testframework@3.2.1-21.13.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"product": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"product_id": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections@3.2.1-21.13.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"product": {
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"product_id": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections-javadoc@3.2.1-21.13.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"product": {
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"product_id": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections-testframework@3.2.1-21.13.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"product": {
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"product_id": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections-testframework-javadoc@3.2.1-21.13.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"product": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"product_id": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections@3.2.1-21.13.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"product": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"product_id": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-java-common-apache-commons-collections@3.2.1-21.13.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6)",
"product_id": "6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.6.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6)",
"product_id": "6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.6.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6)",
"product_id": "6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.6.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6)",
"product_id": "6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.6.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.6)",
"product_id": "6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.6.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"relates_to_product_reference": "6Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"relates_to_product_reference": "6Workstation-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1)",
"product_id": "7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.1-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1)",
"product_id": "7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"relates_to_product_reference": "7Server-RHSCL-2.1-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1)",
"product_id": "7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.1-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1)",
"product_id": "7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.1-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.1)",
"product_id": "7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.1-7.1.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"relates_to_product_reference": "7Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src"
},
"product_reference": "rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-2.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch"
},
"product_reference": "rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-2.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-30T08:19:52+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2523"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.6.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1-6.7.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6.src",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6.noarch",
"6Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1-7.1.Z:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"7Server-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7.src",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7.noarch",
"7Workstation-RHSCL-2.1:rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
RHSA-2015_2524
Vulnerability from csaf_redhat - Published: 2015-11-30 16:07 - Updated: 2024-12-15 18:41Summary
Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.4 security update
Severity
Critical
Notes
Topic: An update for the Apache Commons Collections component that fixes one
security issue is now available from the Red Hat Customer Portal for Red
Hat JBoss Operations Network 3.3 update 4.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Apache Commons Collections is a library built upon Java JDK classes by
providing new interfaces, implementations and utilities.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of JBoss Operations Network 3.3.4 as provided from the Red Hat
Customer Portal are advised to apply this security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 ()
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Operations Network 3.3
Red Hat / Red Hat JBoss Operations Network
|
cpe:/a:redhat:jboss_operations_network:3.3
|
— |
Vendor Fix
fix
|
Threats
Impact
Critical
References
12 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the Apache Commons Collections component that fixes one\nsecurity issue is now available from the Red Hat Customer Portal for Red\nHat JBoss Operations Network 3.3 update 4.\n\nRed Hat Product Security has rated this update as having Critical security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Commons Collections is a library built upon Java JDK classes by\nproviding new interfaces, implementations and utilities.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of JBoss Operations Network 3.3.4 as provided from the Red Hat\nCustomer Portal are advised to apply this security update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2524",
"url": "https://access.redhat.com/errata/RHSA-2015:2524"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em\u0026downloadType=securityPatches\u0026version=3.3"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2524.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Operations Network 3.3.4 security update",
"tracking": {
"current_release_date": "2024-12-15T18:41:16+00:00",
"generator": {
"date": "2024-12-15T18:41:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2524",
"initial_release_date": "2015-11-30T16:07:35+00:00",
"revision_history": [
{
"date": "2015-11-30T16:07:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:36:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:41:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Operations Network 3.3",
"product": {
"name": "Red Hat JBoss Operations Network 3.3",
"product_id": "Red Hat JBoss Operations Network 3.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_operations_network:3.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Operations Network"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Operations Network 3.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-11-30T16:07:35+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). This is a server patch that contains a\nsingle fix and should not be mixed with other server patches. If you\nalready have a server patch, please contact Red Hat Global Support Services\nfor compatibility assessment.\n\nYou must shutdown the JBoss ON server prior to applying this patch.\n\nThis patch must be applied to each JBoss ON server in a high-availability\n(HA) environment. You can apply the patch to each server individually so\nthat only one server is down at a time.\n\nTo install the patch:\n\n1. Stop the JBoss ON server.\n2. Backup and remove the following files:\n\n\u003cRHQ_SERVER_HOME\u003e/jbossas/modules/system/layers/base/org/apache/commons/collections/main/commons-collections-3.2.1.redhat-3.jar \u003cRHQ_SERVER_HOME\u003e/jbossas/modules/system/layers/base/org/apache/commons/collections/main/module.xml\n\u003cRHQ_SERVER_HOME\u003e/modules/org/rhq/server-startup/main/deployments/rhq.ear/rhq-portal.war/WEB-INF/lib/commons-collections-3.2.1.jar\n\u003cRHQ_SERVER_HOME\u003e/modules/org/rhq/server-startup/main/deployments/rhq.ear/rhq-content_http.war/WEB-INF/lib/commons-collections-3.2.1.jar\n\u003cRHQ_SERVER_HOME\u003e/modules/org/rhq/server-startup/main/deployments/rhq.ear/lib/commons-collections-3.2.1.jar\n\n3. Extract the patch archive to the JBoss ON server\u0027s home directory.\n\nFor example:\nunzip -od \"${RHQ_SERVER_HOME}\" /tmp/BZ1281514.zip\n\nBe sure to replace any existing files if prompted.\n\n4. Start the JBoss ON server.\nRepeat the steps for any remaining JBoss ON servers in a HA environment.\n\nTo uninstall the patch:\n\n1. Stop the JBoss ON server.\n2. Remove the updated files:\n\n\u003cRHQ_SERVER_HOME\u003e/jbossas/modules/system/layers/base/org/apache/commons/collections/main/commons-collections-3.2.1.redhat-3-bz-1281962.jar \u003cRHQ_SERVER_HOME\u003e/jbossas/modules/system/layers/base/org/apache/commons/collections/main/module.xml\n\u003cRHQ_SERVER_HOME\u003e/modules/org/rhq/server-startup/main/deployments/rhq.ear/rhq-portal.war/WEB-INF/lib/commons-collections-3.2.1.redhat-3-bz-1281962.jar\n\u003cRHQ_SERVER_HOME\u003e/modules/org/rhq/server-startup/main/deployments/rhq.ear/rhq-content_http.war/WEB-INF/lib/commons-collections-3.2.1.redhat-3-bz-1281962.jar\n\u003cRHQ_SERVER_HOME\u003e/modules/org/rhq/server-startup/main/deployments/rhq.ear/lib/commons-collections-3.2.1.redhat-3-bz-1281962.jar\n\n3. Restore the following files from the backup created prior to applying this patch:\n\n\u003cRHQ_SERVER_HOME\u003e/jbossas/modules/system/layers/base/org/apache/commons/collections/main/commons-collections-3.2.1.redhat-3.jar \u003cRHQ_SERVER_HOME\u003e/jbossas/modules/system/layers/base/org/apache/commons/collections/main/module.xml\n\u003cRHQ_SERVER_HOME\u003e/modules/org/rhq/server-startup/main/deployments/rhq.ear/rhq-portal.war/WEB-INF/lib/commons-collections-3.2.1.jar\n\u003cRHQ_SERVER_HOME\u003e/modules/org/rhq/server-startup/main/deployments/rhq.ear/rhq-content_http.war/WEB-INF/lib/commons-collections-3.2.1.jar\n\u003cRHQ_SERVER_HOME\u003e/modules/org/rhq/server-startup/main/deployments/rhq.ear/lib/commons-collections-3.2.1.jar\n\n4. Start the JBoss ON server.\n\nRepeat the steps for any remaining JBoss ON servers in a HA.",
"product_ids": [
"Red Hat JBoss Operations Network 3.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2524"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Operations Network 3.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
RHSA-2015_2534
Vulnerability from csaf_redhat - Published: 2015-12-01 19:10 - Updated: 2024-12-15 18:42Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.0.0, 6.1.0, and 6.2.0 security update
Severity
Critical
Notes
Topic: An update for the Apache Commons Collections component that fixes one
security issue is now available from the Red Hat Customer Portal for Red
Hat JBoss Data Virtualization 6.0.0, 6.1.0 and 6.2.0.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Apache Commons Collections is a library built upon Java JDK classes by
providing new interfaces, implementations and utilities.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of Red Hat JBoss Data Virtualization 6.0.0, 6.1.0 and 6.2.0 as
provided from the Red Hat Customer Portal are advised to apply this
security update.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 ()
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Data Virtualization 6.0
Red Hat / Red Hat JBoss Data Virtualization
|
cpe:/a:redhat:jboss_data_virtualization:6.0
|
— |
Vendor Fix
fix
|
|
Red Hat JBoss Data Virtualization 6.1
Red Hat / Red Hat JBoss Data Virtualization
|
cpe:/a:redhat:jboss_data_virtualization:6.1
|
— |
Vendor Fix
fix
|
|
Red Hat JBoss Data Virtualization 6.2
Red Hat / Red Hat JBoss Data Virtualization
|
cpe:/a:redhat:jboss_data_virtualization:6.2
|
— |
Vendor Fix
fix
|
Threats
Impact
Critical
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the Apache Commons Collections component that fixes one\nsecurity issue is now available from the Red Hat Customer Portal for Red\nHat JBoss Data Virtualization 6.0.0, 6.1.0 and 6.2.0.\n\nRed Hat Product Security has rated this update as having Critical security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Commons Collections is a library built upon Java JDK classes by\nproviding new interfaces, implementations and utilities.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of Red Hat JBoss Data Virtualization 6.0.0, 6.1.0 and 6.2.0 as\nprovided from the Red Hat Customer Portal are advised to apply this\nsecurity update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2534",
"url": "https://access.redhat.com/errata/RHSA-2015:2534"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.0.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.0.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.1.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.1.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.2.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.2.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2534.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization 6.0.0, 6.1.0, and 6.2.0 security update",
"tracking": {
"current_release_date": "2024-12-15T18:42:27+00:00",
"generator": {
"date": "2024-12-15T18:42:27+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2534",
"initial_release_date": "2015-12-01T19:10:17+00:00",
"revision_history": [
{
"date": "2015-12-01T19:10:17+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:37:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:42:27+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.0",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.0",
"product_id": "Red Hat JBoss Data Virtualization 6.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.0"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.1",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.1",
"product_id": "Red Hat JBoss Data Virtualization 6.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.1"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.2",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.2",
"product_id": "Red Hat JBoss Data Virtualization 6.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Virtualization"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.0",
"Red Hat JBoss Data Virtualization 6.1",
"Red Hat JBoss Data Virtualization 6.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-01T19:10:17+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.0",
"Red Hat JBoss Data Virtualization 6.1",
"Red Hat JBoss Data Virtualization 6.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2534"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.0",
"Red Hat JBoss Data Virtualization 6.1",
"Red Hat JBoss Data Virtualization 6.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
RHSA-2015_2535
Vulnerability from csaf_redhat - Published: 2015-12-01 20:25 - Updated: 2024-12-15 18:42Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 5.2 security update
Severity
Critical
Notes
Topic: Updated packages for the Apache commons-collections library for Red Hat
JBoss Enterprise Application Platform 5.2, which fix one security issue,
are now available for Red Hat Enterprise Linux 4, 5, and 6.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Red Hat JBoss Enterprise Application Platform 5 is a platform for Java
applications based on JBoss Application Server 6.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of Red Hat JBoss Enterprise Application Platform 5.2 on Red Hat
Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated
packages. The JBoss server process must be restarted for the update to
take effect.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 ()
Affected products
Fixed
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4AS-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 4ES-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch | — |
Vendor Fix
fix
|
Threats
Impact
Critical
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated packages for the Apache commons-collections library for Red Hat\nJBoss Enterprise Application Platform 5.2, which fix one security issue,\nare now available for Red Hat Enterprise Linux 4, 5, and 6.\n\nRed Hat Product Security has rated this update as having Critical security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 5 is a platform for Java\napplications based on JBoss Application Server 6.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of Red Hat JBoss Enterprise Application Platform 5.2 on Red Hat\nEnterprise Linux 4, 5, and 6 are advised to upgrade to these updated\npackages. The JBoss server process must be restarted for the update to\ntake effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2535",
"url": "https://access.redhat.com/errata/RHSA-2015:2535"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2535.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 5.2 security update",
"tracking": {
"current_release_date": "2024-12-15T18:42:16+00:00",
"generator": {
"date": "2024-12-15T18:42:16+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2535",
"initial_release_date": "2015-12-01T20:25:38+00:00",
"revision_history": [
{
"date": "2015-12-01T20:25:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-12-01T20:25:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:42:16+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch",
"product": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch",
"product_id": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections-tomcat5@3.2.1-5.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch",
"product": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch",
"product_id": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections@3.2.1-5.ep5.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"product": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"product_id": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections@3.2.1-5.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"product": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"product_id": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections-tomcat5@3.2.1-5.ep5.el4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch",
"product": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch",
"product_id": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections-tomcat5@3.2.1-5.ep5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch",
"product": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch",
"product_id": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections@3.2.1-5.ep5.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.src",
"product": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.src",
"product_id": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections@3.2.1-5.ep5.el5?arch=src"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"product": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"product_id": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections@3.2.1-5.ep5.el4?arch=src"
}
}
},
{
"category": "product_version",
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.src",
"product": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.src",
"product_id": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jakarta-commons-collections@3.2.1-5.ep5.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS",
"product_id": "4AS-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"relates_to_product_reference": "4AS-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 ES",
"product_id": "4ES-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"relates_to_product_reference": "4ES-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-5.ep5.el5.src",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server",
"product_id": "5Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.src as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.src"
},
"product_reference": "jakarta-commons-collections-0:3.2.1-5.ep5.el6.src",
"relates_to_product_reference": "6Server-JBEAP-5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server",
"product_id": "6Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch"
},
"product_reference": "jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"4AS-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"4ES-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch",
"5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.src",
"5Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch",
"6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch",
"6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.src",
"6Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-01T20:25:38+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"4AS-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"4ES-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch",
"5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.src",
"5Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch",
"6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch",
"6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.src",
"6Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2535"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"4AS-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"4AS-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.noarch",
"4ES-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el4.src",
"4ES-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4.noarch",
"5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.noarch",
"5Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el5.src",
"5Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5.noarch",
"6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.noarch",
"6Server-JBEAP-5:jakarta-commons-collections-0:3.2.1-5.ep5.el6.src",
"6Server-JBEAP-5:jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
RHSA-2015_2536
Vulnerability from csaf_redhat - Published: 2015-12-01 20:39 - Updated: 2024-12-15 18:42Summary
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.3 security update
Severity
Critical
Notes
Topic: Updated packages that fix one security issue for the Apache
commons-collections library for Red Hat JBoss Enterprise Application
Platform 6.3 are now available for Red Hat Enterprise Linux 5, 6, and 7.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
Details: Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
applications based on JBoss Application Server 7.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat
Enterprise Linux 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
7.5 ()
Affected products
Fixed
6 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src | — |
Vendor Fix
fix
|
Threats
Impact
Critical
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated packages that fix one security issue for the Apache\ncommons-collections library for Red Hat JBoss Enterprise Application\nPlatform 6.3 are now available for Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Critical security\nimpact. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available from the CVE link in the\nReferences section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Enterprise Application Platform 6 is a platform for Java\napplications based on JBoss Application Server 7.\n\nIt was found that the Apache commons-collections library permitted code\nexecution when deserializing objects involving a specially constructed\nchain of classes. A remote attacker could use this flaw to execute\narbitrary code with the permissions of the application using the\ncommons-collections library. (CVE-2015-7501)\n\nFurther information about this security flaw may be found at:\nhttps://access.redhat.com/solutions/2045023\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat\nEnterprise Linux 6 are advised to upgrade to these updated packages.\nThe JBoss server process must be restarted for the update to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2015:2536",
"url": "https://access.redhat.com/errata/RHSA-2015:2536"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#critical",
"url": "https://access.redhat.com/security/updates/classification/#critical"
},
{
"category": "external",
"summary": "https://access.redhat.com/solutions/2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2536.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.3 security update",
"tracking": {
"current_release_date": "2024-12-15T18:42:22+00:00",
"generator": {
"date": "2024-12-15T18:42:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2015:2536",
"initial_release_date": "2015-12-01T20:39:28+00:00",
"revision_history": [
{
"date": "2015-12-01T20:39:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2015-12-01T20:39:28+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-15T18:42:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 6 Server",
"product_id": "6Server-JBEAP-6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5 Server",
"product_id": "5Server-JBEAP-6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el5"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server",
"product": {
"name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server",
"product_id": "7Server-JBEAP-6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Enterprise Application Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src",
"product": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src",
"product_id": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections-eap6@3.2.1-16.redhat_5.1.ep6.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src",
"product": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src",
"product_id": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections-eap6@3.2.1-16.redhat_5.1.ep6.el5?arch=src"
}
}
},
{
"category": "product_version",
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src",
"product": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src",
"product_id": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections-eap6@3.2.1-16.redhat_5.1.ep6.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch",
"product": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch",
"product_id": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections-eap6@3.2.1-16.redhat_5.1.ep6.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch",
"product": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch",
"product_id": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections-eap6@3.2.1-16.redhat_5.1.ep6.el5?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch",
"product": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch",
"product_id": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/apache-commons-collections-eap6@3.2.1-16.redhat_5.1.ep6.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5 Server",
"product_id": "5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch"
},
"product_reference": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch",
"relates_to_product_reference": "5Server-JBEAP-6.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src as a component of Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5 Server",
"product_id": "5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src"
},
"product_reference": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src",
"relates_to_product_reference": "5Server-JBEAP-6.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 6 Server",
"product_id": "6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch"
},
"product_reference": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch",
"relates_to_product_reference": "6Server-JBEAP-6.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src as a component of Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 6 Server",
"product_id": "6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src"
},
"product_reference": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src",
"relates_to_product_reference": "6Server-JBEAP-6.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch as a component of Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server",
"product_id": "7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch"
},
"product_reference": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch",
"relates_to_product_reference": "7Server-JBEAP-6.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src as a component of Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server",
"product_id": "7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src"
},
"product_reference": "apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src",
"relates_to_product_reference": "7Server-JBEAP-6.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7501",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1279330"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-commons-collections: InvokerTransformer code execution during deserialisation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch",
"5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src",
"6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch",
"6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src",
"7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch",
"7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7501"
},
{
"category": "external",
"summary": "RHBZ#1279330",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330"
},
{
"category": "external",
"summary": "RHSB-2045023",
"url": "https://access.redhat.com/solutions/2045023"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7501",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7501"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501"
},
{
"category": "external",
"summary": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/",
"url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/"
}
],
"release_date": "2015-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2015-12-01T20:39:28+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch",
"5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src",
"6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch",
"6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src",
"7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch",
"7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2015:2536"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.noarch",
"5Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5.src",
"6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.noarch",
"6Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6.src",
"7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.noarch",
"7Server-JBEAP-6.3:apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Critical"
}
],
"title": "apache-commons-collections: InvokerTransformer code execution during deserialisation"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…