CVE-2015-7501
First published: Mon Nov 09 2015(Updated: )
It was found that a flaw in commons-collection library allowed remote code execution wherever deserialization occurs. While JBoss doesnt expose the JMXInvokerServlet by default, other interfaces where deserialization occur might be vulnerable. Note: classes directly referenced by this flaw: InvokerTransformer, InstantiateFactory, and InstantiateTransformer External References: <a href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/">http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/</a> <a href="https://access.redhat.com/solutions/2045023">https://access.redhat.com/solutions/2045023</a>
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic | >=4.01<4.02 | |
| maven/net.sourceforge.collections:collections-generic | =4.01 | |
| maven/org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections | >=3.2.1<3.2.2 | |
| maven/org.apache.commons:commons-collections4 | <4.1 | 4.1 |
| maven/commons-collections:commons-collections | <3.2.2 | 3.2.2 |
| redhat/apache-commons-collections | <3.2.2 | 3.2.2 |
| redhat/apache-commons-collections | <4.1 | 4.1 |
| Red Hat Data Grid | =6.0.0 | |
| redhat jboss a-mq | =6.0.0 | |
| Red Hat JBoss BPM Suite | =6.0.0 | |
| redhat jboss data virtualization | =5.0.0 | |
| redhat jboss data virtualization | =6.0.0 | |
| redhat jboss enterprise application platform | =4.3.0 | |
| redhat jboss enterprise application platform | =5.0.0 | |
| redhat jboss enterprise application platform | =6.0.0 | |
| Red Hat JBoss Enterprise BRMS Platform | =5.0.0 | |
| Red Hat JBoss Enterprise BRMS Platform | =6.0.0 | |
| Red Hat JBoss Enterprise SOA Platform | =5.0.0 | |
| Red Hat JBoss Enterprise Web Server | =3.0.0 | |
| Red Hat JBoss Fuse | =6.0.0 | |
| redhat jboss fuse service works | =6.0 | |
| redhat jboss operations network | =3.0 | |
| Red Hat JBoss Portal | =6.0.0 | |
| Red Hat OpenShift | =3.0 | |
| Red Hat Subscription Asset Manager | =1.3.0 | |
| redhat xPAAS | =3.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2015-2500.html
- http://rhn.redhat.com/errata/RHSA-2015-2501.html
- http://rhn.redhat.com/errata/RHSA-2015-2502.html
- http://rhn.redhat.com/errata/RHSA-2015-2514.html
- http://rhn.redhat.com/errata/RHSA-2015-2516.html
- http://rhn.redhat.com/errata/RHSA-2015-2517.html
- http://rhn.redhat.com/errata/RHSA-2015-2521.html
- http://rhn.redhat.com/errata/RHSA-2015-2522.html
- http://rhn.redhat.com/errata/RHSA-2015-2524.html
- http://rhn.redhat.com/errata/RHSA-2015-2670.html
- http://rhn.redhat.com/errata/RHSA-2015-2671.html
- http://rhn.redhat.com/errata/RHSA-2016-0040.html
- http://rhn.redhat.com/errata/RHSA-2016-1773.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/78215
- http://www.securitytracker.com/id/1034097
- http://www.securitytracker.com/id/1037052
- http://www.securitytracker.com/id/1037053
- http://www.securitytracker.com/id/1037640
- https://access.redhat.com/security/vulnerabilities/2059393
- https://access.redhat.com/solutions/2045023
- https://bugzilla.redhat.com/show_bug.cgi?id=1279330
- https://rhn.redhat.com/errata/RHSA-2015-2536.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://nvd.nist.gov/vuln/detail/CVE-2015-7501
- https://commons.apache.org/proper/commons-collections/release_4_1.html
- https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- https://issues.apache.org/jira/browse/COLLECTIONS-580.
- https://arxiv.org/pdf/2306.05534.pdf
- https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
- https://sourceforge.net/p/collections/code/HEAD/tree/
- https://github.com/advisories/GHSA-fjq5-5j5f-mvxh (Advisory)
- http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- https://access.redhat.com/security/cve/CVE-2012-0874
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1095089
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1095089&action=edit
- https://rhn.redhat.com/errata/RHSA-2015-2502.html
- https://rhn.redhat.com/errata/RHSA-2015-2501.html
- https://rhn.redhat.com/errata/RHSA-2015-2500.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1279330#c0
- http://frohoff.github.io/appseccali-marshalling-pickles/
- https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
- https://issues.apache.org/jira/browse/COLLECTIONS-580
- http://svn.apache.org/viewvc?view=revision&revision=1713307
- http://svn.apache.org/viewvc?view=revision&revision=1713537
- http://svn.apache.org/viewvc?view=revision&revision=1713845
- https://commons.apache.org/proper/commons-collections/release_3_2_2.html
- https://rhn.redhat.com/errata/RHSA-2015-2514.html
- https://rhn.redhat.com/errata/RHSA-2015-2516.html
- https://rhn.redhat.com/errata/RHSA-2015-2517.html
- https://rhn.redhat.com/errata/RHSA-2015-2521.html
- https://rhn.redhat.com/errata/RHSA-2015-2523.html
- https://rhn.redhat.com/errata/RHSA-2015-2522.html
- https://rhn.redhat.com/errata/RHSA-2015-2524.html
- https://rhn.redhat.com/errata/RHSA-2015-2534.html
- https://rhn.redhat.com/errata/RHSA-2015-2537.html
- https://rhn.redhat.com/errata/RHSA-2015-2535.html
- https://rhn.redhat.com/errata/RHSA-2015-2541.html
- https://rhn.redhat.com/errata/RHSA-2015-2539.html
- https://rhn.redhat.com/errata/RHSA-2015-2538.html
- https://rhn.redhat.com/errata/RHSA-2015-2540.html
- https://rhn.redhat.com/errata/RHSA-2015-2542.html
- https://rhn.redhat.com/errata/RHSA-2015-2548.html
- https://rhn.redhat.com/errata/RHSA-2015-2547.html
- https://rhn.redhat.com/errata/RHSA-2015-2560.html
- https://rhn.redhat.com/errata/RHSA-2015-2559.html
- https://rhn.redhat.com/errata/RHSA-2015-2557.html
- https://rhn.redhat.com/errata/RHSA-2015-2556.html
- https://rhn.redhat.com/errata/RHSA-2015-2579.html
- https://rhn.redhat.com/errata/RHSA-2015-2578.html
- https://rhn.redhat.com/errata/RHSA-2015-2670.html
- https://rhn.redhat.com/errata/RHSA-2015-2671.html
- https://rhn.redhat.com/errata/RHSA-2016-0040.html
- https://rhn.redhat.com/errata/RHSA-2016-0118.html
- https://rhn.redhat.com/errata/RHSA-2016-1773.html
- https://access.redhat.com/errata/RHSA-2020:4274
- https://security.netapp.com/advisory/ntap-20240216-0010/
Frequently Asked Questions
What is the severity of CVE-2015-7501?
CVE-2015-7501 has a high severity rating as it can lead to remote code execution due to deserialization issues in the commons-collection library.
How do I fix CVE-2015-7501?
To fix CVE-2015-7501, update to commons-collections version 3.2.2 or later, or to commons-collections4 version 4.1 or later.
Which software is affected by CVE-2015-7501?
CVE-2015-7501 affects software using specific versions of the commons-collections library, including Apache ServiceMix and Red Hat JBoss products.
What exploits are associated with CVE-2015-7501?
CVE-2015-7501 can be exploited via remote code execution, especially through vulnerable deserialization mechanisms.
Is CVE-2015-7501 fixed in newer versions?
Yes, CVE-2015-7501 is fixed in versions of commons-collections starting from 3.2.2 and 4.1 onwards.
- collector/github-advisory-latest
- alias/GHSA-fjq5-5j5f-mvxh
- alias/CVE-2015-7501
- collector/github-advisory
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- package-manager/maven
- package-manager/redhat
- vendor/redhat
- canonical/red hat data grid
- version/red hat data grid/6.0.0
- canonical/redhat jboss a-mq
- version/redhat jboss a-mq/6.0.0
- canonical/red hat jboss bpm suite
- version/red hat jboss bpm suite/6.0.0
- canonical/redhat jboss data virtualization
- version/redhat jboss data virtualization/5.0.0
- version/redhat jboss data virtualization/6.0.0
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/4.3.0
- version/redhat jboss enterprise application platform/5.0.0
- version/redhat jboss enterprise application platform/6.0.0
- canonical/red hat jboss enterprise brms platform
- version/red hat jboss enterprise brms platform/5.0.0
- version/red hat jboss enterprise brms platform/6.0.0
- canonical/red hat jboss enterprise soa platform
- version/red hat jboss enterprise soa platform/5.0.0
- canonical/red hat jboss enterprise web server
- version/red hat jboss enterprise web server/3.0.0
- canonical/red hat jboss fuse
- version/red hat jboss fuse/6.0.0
- canonical/redhat jboss fuse service works
- version/redhat jboss fuse service works/6.0
- canonical/redhat jboss operations network
- version/redhat jboss operations network/3.0
- canonical/red hat jboss portal
- version/red hat jboss portal/6.0.0
- canonical/red hat openshift
- version/red hat openshift/3.0
- canonical/red hat subscription asset manager
- version/red hat subscription asset manager/1.3.0
- canonical/redhat xpaas
- version/redhat xpaas/3.0.0