CVE-2015-7501
First published: Mon Nov 09 2015(Updated: )
It was found that a flaw in commons-collection library allowed remote code execution wherever deserialization occurs. While JBoss doesnt expose the JMXInvokerServlet by default, other interfaces where deserialization occur might be vulnerable. Note: classes directly referenced by this flaw: InvokerTransformer, InstantiateFactory, and InstantiateTransformer External References: <a href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/">http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/</a> <a href="https://access.redhat.com/solutions/2045023">https://access.redhat.com/solutions/2045023</a>
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic | >=4.01<4.02 | |
| maven/net.sourceforge.collections:collections-generic | =4.01 | |
| maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections | >=3.2.1<3.2.2 | |
| maven/org.apache.commons:commons-collections4 | <4.1 | 4.1 |
| maven/commons-collections:commons-collections | <3.2.2 | 3.2.2 |
| redhat/apache-commons-collections | <3.2.2 | 3.2.2 |
| redhat/apache-commons-collections | <4.1 | 4.1 |
| Redhat Data Grid | =6.0.0 | |
| Redhat Jboss A-mq | =6.0.0 | |
| Redhat Jboss Bpm Suite | =6.0.0 | |
| Redhat Jboss Data Virtualization | =5.0.0 | |
| Redhat Jboss Data Virtualization | =6.0.0 | |
| Redhat Jboss Enterprise Application Platform | =4.3.0 | |
| Redhat Jboss Enterprise Application Platform | =5.0.0 | |
| Redhat Jboss Enterprise Application Platform | =6.0.0 | |
| Redhat Jboss Enterprise Brms Platform | =5.0.0 | |
| Redhat Jboss Enterprise Brms Platform | =6.0.0 | |
| Redhat Jboss Enterprise Soa Platform | =5.0.0 | |
| Redhat Jboss Enterprise Web Server | =3.0.0 | |
| Redhat Jboss Fuse | =6.0.0 | |
| Redhat Jboss Fuse Service Works | =6.0 | |
| Redhat Jboss Operations Network | =3.0 | |
| Redhat Jboss Portal | =6.0.0 | |
| Redhat Openshift | =3.0 | |
| Redhat Subscription Asset Manager | =1.3.0 | |
| Redhat Xpaas | =3.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2015-2500.html
- http://rhn.redhat.com/errata/RHSA-2015-2501.html
- http://rhn.redhat.com/errata/RHSA-2015-2502.html
- http://rhn.redhat.com/errata/RHSA-2015-2514.html
- http://rhn.redhat.com/errata/RHSA-2015-2516.html
- http://rhn.redhat.com/errata/RHSA-2015-2517.html
- http://rhn.redhat.com/errata/RHSA-2015-2521.html
- http://rhn.redhat.com/errata/RHSA-2015-2522.html
- http://rhn.redhat.com/errata/RHSA-2015-2524.html
- http://rhn.redhat.com/errata/RHSA-2015-2670.html
- http://rhn.redhat.com/errata/RHSA-2015-2671.html
- http://rhn.redhat.com/errata/RHSA-2016-0040.html
- http://rhn.redhat.com/errata/RHSA-2016-1773.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/78215
- http://www.securitytracker.com/id/1034097
- http://www.securitytracker.com/id/1037052
- http://www.securitytracker.com/id/1037053
- http://www.securitytracker.com/id/1037640
- https://access.redhat.com/security/vulnerabilities/2059393
- https://access.redhat.com/solutions/2045023
- https://bugzilla.redhat.com/show_bug.cgi?id=1279330
- https://rhn.redhat.com/errata/RHSA-2015-2536.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-7501
- https://commons.apache.org/proper/commons-collections/release_4_1.html
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- https://issues.apache.org/jira/browse/COLLECTIONS-580.
- https://arxiv.org/pdf/2306.05534.pdf
- https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
- https://sourceforge.net/p/collections/code/HEAD/tree/
- https://github.com/advisories/GHSA-fjq5-5j5f-mvxh (Advisory)
- http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- https://access.redhat.com/security/cve/CVE-2012-0874
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1095089
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1095089&action=edit
- https://rhn.redhat.com/errata/RHSA-2015-2502.html
- https://rhn.redhat.com/errata/RHSA-2015-2501.html
- https://rhn.redhat.com/errata/RHSA-2015-2500.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1279330#c0
- http://frohoff.github.io/appseccali-marshalling-pickles/
- https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
- https://issues.apache.org/jira/browse/COLLECTIONS-580
- http://svn.apache.org/viewvc?view=revision&revision=1713307
- http://svn.apache.org/viewvc?view=revision&revision=1713537
- http://svn.apache.org/viewvc?view=revision&revision=1713845
- https://commons.apache.org/proper/commons-collections/release_3_2_2.html
- https://rhn.redhat.com/errata/RHSA-2015-2514.html
- https://rhn.redhat.com/errata/RHSA-2015-2516.html
- https://rhn.redhat.com/errata/RHSA-2015-2517.html
- https://rhn.redhat.com/errata/RHSA-2015-2521.html
- https://rhn.redhat.com/errata/RHSA-2015-2523.html
- https://rhn.redhat.com/errata/RHSA-2015-2522.html
- https://rhn.redhat.com/errata/RHSA-2015-2524.html
- https://rhn.redhat.com/errata/RHSA-2015-2534.html
- https://rhn.redhat.com/errata/RHSA-2015-2537.html
- https://rhn.redhat.com/errata/RHSA-2015-2535.html
- https://rhn.redhat.com/errata/RHSA-2015-2541.html
- https://rhn.redhat.com/errata/RHSA-2015-2539.html
- https://rhn.redhat.com/errata/RHSA-2015-2538.html
- https://rhn.redhat.com/errata/RHSA-2015-2540.html
- https://rhn.redhat.com/errata/RHSA-2015-2542.html
- https://rhn.redhat.com/errata/RHSA-2015-2548.html
- https://rhn.redhat.com/errata/RHSA-2015-2547.html
- https://rhn.redhat.com/errata/RHSA-2015-2560.html
- https://rhn.redhat.com/errata/RHSA-2015-2559.html
- https://rhn.redhat.com/errata/RHSA-2015-2557.html
- https://rhn.redhat.com/errata/RHSA-2015-2556.html
- https://rhn.redhat.com/errata/RHSA-2015-2579.html
- https://rhn.redhat.com/errata/RHSA-2015-2578.html
- https://rhn.redhat.com/errata/RHSA-2015-2670.html
- https://rhn.redhat.com/errata/RHSA-2015-2671.html
- https://rhn.redhat.com/errata/RHSA-2016-0040.html
- https://rhn.redhat.com/errata/RHSA-2016-0118.html
- https://rhn.redhat.com/errata/RHSA-2016-1773.html
- https://access.redhat.com/errata/RHSA-2020:4274
- https://security.netapp.com/advisory/ntap-20240216-0010/
- collector/github-advisory-latest
- alias/GHSA-fjq5-5j5f-mvxh
- alias/CVE-2015-7501
- collector/github-advisory
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/description
- agent/event
- agent/author
- agent/last-modified-date
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- package-manager/maven
- package-manager/redhat
- vendor/redhat
- canonical/redhat data grid
- version/redhat data grid/6.0.0
- canonical/redhat jboss a-mq
- version/redhat jboss a-mq/6.0.0
- canonical/redhat jboss bpm suite
- version/redhat jboss bpm suite/6.0.0
- canonical/redhat jboss data virtualization
- version/redhat jboss data virtualization/5.0.0
- version/redhat jboss data virtualization/6.0.0
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/4.3.0
- version/redhat jboss enterprise application platform/5.0.0
- version/redhat jboss enterprise application platform/6.0.0
- canonical/redhat jboss enterprise brms platform
- version/redhat jboss enterprise brms platform/5.0.0
- version/redhat jboss enterprise brms platform/6.0.0
- canonical/redhat jboss enterprise soa platform
- version/redhat jboss enterprise soa platform/5.0.0
- canonical/redhat jboss enterprise web server
- version/redhat jboss enterprise web server/3.0.0
- canonical/redhat jboss fuse
- version/redhat jboss fuse/6.0.0
- canonical/redhat jboss fuse service works
- version/redhat jboss fuse service works/6.0
- canonical/redhat jboss operations network
- version/redhat jboss operations network/3.0
- canonical/redhat jboss portal
- version/redhat jboss portal/6.0.0
- canonical/redhat openshift
- version/redhat openshift/3.0
- canonical/redhat subscription asset manager
- version/redhat subscription asset manager/1.3.0
- canonical/redhat xpaas
- version/redhat xpaas/3.0.0