Rapid7 Vulnerability & Exploit Database

RHSA-2015:2671: jakarta-commons-collections security update

Back to Search

RHSA-2015:2671: jakarta-commons-collections security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
12/21/2015
Created
07/25/2018
Added
12/24/2015
Modified
12/01/2017

Description

The Jakarta/Apache Commons Collections library provides new interfaces,implementations, and utilities to extend the features of the JavaCollections Framework.It was found that the Apache commons-collections library permitted codeexecution when deserializing objects involving a specially constructedchain of classes. A remote attacker could use this flaw to executearbitrary code with the permissions of the application using thecommons-collections library. (CVE-2015-7501)With this update, deserialization of certain classes in thecommons-collections library is no longer allowed. Applications that requirethose classes to be deserialized can use the system property"org.apache.commons.collections.enableUnsafeSerialization" to re-enabletheir deserialization.Further information about this security flaw may be found at:https://access.redhat.com/solutions/2045023All users of jakarta-commons-collections are advised to upgrade to theseupdated packages, which contain a backported patch to correct this issue.All running applications using the commons-collections library must berestarted for the update to take effect.

Solution(s)

  • redhat-upgrade-jakarta-commons-collections
  • redhat-upgrade-jakarta-commons-collections-debuginfo
  • redhat-upgrade-jakarta-commons-collections-javadoc
  • redhat-upgrade-jakarta-commons-collections-testframework
  • redhat-upgrade-jakarta-commons-collections-testframework-javadoc
  • redhat-upgrade-jakarta-commons-collections-tomcat5

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;