Описание
Deserialization of Untrusted Data in Apache commons collections
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2015-7501
- https://access.redhat.com/security/vulnerabilities/2059393
- https://access.redhat.com/solutions/2045023
- https://arxiv.org/pdf/2306.05534.pdf
- https://bugzilla.redhat.com/show_bug.cgi?id=1279330
- https://commons.apache.org/proper/commons-collections/release_4_1.html
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
- https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
- https://issues.apache.org/jira/browse/COLLECTIONS-580.
- https://sourceforge.net/p/collections/code/HEAD/tree
- http://rhn.redhat.com/errata/RHSA-2016-1773.html
Пакеты
commons-collections:commons-collections
< 3.2.2
3.2.2
org.apache.commons:commons-collections4
< 4.1
4.1
org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
>= 3.2.1
Отсутствует
net.sourceforge.collections:collections-generic
= 4.01
Отсутствует
org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
>= 4.01
Отсутствует
Связанные уязвимости
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data G ...
ELSA-2015-2671: jakarta-commons-collections security update (IMPORTANT)