CVE-2015-7501

Description

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Affected packages (7)

• Debian/libcommons-collections3-javafrom 0, < 3.2.2-1
• Debian/libcommons-collections4-javafrom 0
• Maven/commons-collections:commons-collectionsfrom 0, < 3.2.2
• Maven/net.sourceforge.collections:collections-generic
• Maven/org.apache.commons:commons-collections4from 0, < 4.1
• Maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic>= 4.01
• Maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections>= 3.2.1

CVSS scores

References (13)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2015-7501
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2015-7501
• PATCHhttps://github.com/apache/commons-collections
• WEBhttp://rhn.redhat.com/errata/RHSA-2016-1773.html
• WEBhttps://access.redhat.com/security/vulnerabilities/2059393
• WEBhttps://access.redhat.com/solutions/2045023
• WEBhttps://arxiv.org/pdf/2306.05534.pdf
• WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1279330
• WEBhttps://commons.apache.org/proper/commons-collections/release_4_1.html
• WEBhttps://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability
• WEBhttps://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
• WEBhttps://issues.apache.org/jira/browse/COLLECTIONS-580.
• WEBhttps://sourceforge.net/p/collections/code/HEAD/tree