It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
Find out more about CVE-2015-7501 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.
Base Score | 7.5 |
---|---|
Base Metrics | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Access Vector | Network |
Access Complexity | Low |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | Partial |
Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux 5 (jakarta-commons-collections) | RHSA-2015:2671 | 2015-12-21 |
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jakarta-commons-collections) | RHSA-2015:2535 | 2015-12-01 |
Red Hat JBoss Enterprise Application Platform 5.2 | RHSA-2015:2514 | 2015-11-24 |
Red Hat JBoss Web Server 3.0 | RHSA-2015:2548 | 2015-12-04 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (apache-commons-collections-eap6) | RHSA-2015:2536 | 2015-12-01 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) | RHSA-2015:2542 | 2015-12-02 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server | RHSA-2015:2538 | 2015-12-02 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (apache-commons-collections-eap6) | RHSA-2015:2500 | 2015-11-20 |
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jakarta-commons-collections) | RHSA-2015:2535 | 2015-12-01 |
Red Hat Enterprise Linux 6 (jakarta-commons-collections) | RHSA-2015:2521 | 2015-11-30 |
Red Hat JBoss Enterprise Application Platform 4.3 | RHSA-2015:2514 | 2015-11-24 |
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (apache-commons-collections-eap6) | RHSA-2015:2536 | 2015-12-01 |
Red Hat Enterprise Linux 7 (apache-commons-collections) | RHSA-2015:2522 | 2015-11-30 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-java-common-apache-commons-collections) | RHSA-2015:2523 | 2015-11-30 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (apache-commons-collections-eap6) | RHSA-2015:2500 | 2015-11-20 |
RHOSE Client 2.0 (jenkins) | RHSA-2016:1773 | 2016-08-24 |
Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2015:2541 | 2015-12-02 |
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-java-common-apache-commons-collections) | RHSA-2015:2523 | 2015-11-30 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (apache-commons-collections-eap6) | RHSA-2015:2536 | 2015-12-01 |
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jakarta-commons-collections) | RHSA-2015:2535 | 2015-12-01 |
Red Hat JBoss Enterprise Application Platform 5.1 | RHSA-2015:2514 | 2015-11-24 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server | RHSA-2015:2539 | 2015-12-02 |
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server | RHSA-2015:2540 | 2015-12-02 |
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (apache-commons-collections-eap6) | RHSA-2015:2500 | 2015-11-20 |
Platform | Package | State |
---|---|---|
Red Hat Subscription Asset Manager 1 | jasperreports-server-pro | Affected |
Red Hat OpenStack Platform 8.0 (Liberty) | opendaylight | Not affected |
Red Hat JBoss Portal Platform 6 | jbossas | Affected |
Red Hat JBoss Portal 5 | jbossas | Affected |
Red Hat JBoss Operations Network 3 | jbossas | Affected |
Red Hat JBoss Fuse Service Works 6 | jbossas | Affected |
Red Hat JBoss Enterprise SOA Platform 5 | JBossAS | Affected |
Red Hat JBoss Enterprise SOA Platform 5 | jbossas | Affected |
Red Hat JBoss Enterprise SOA Platform 4 | JBossAS | Affected |
Red Hat JBoss EWS 2 | tomcat | Not affected |
Red Hat JBoss Data Virtualization 6 | jbossas | Affected |
Red Hat JBoss Data Grid 6 | Infinispan | Affected |
Red Hat JBoss BRMS 6 | jbossas | Affected |
Red Hat JBoss BRMS 5 | jbossas | Affected |
Red Hat JBoss BPMS 6 | jbossas | Affected |
Red Hat JBoss A-MQ 6 | camel | Affected |
RHEV Manager 3 | jasperreports-server-pro | Affected |