Published: 15/12/2015 Updated: 01/10/2018
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote malicious users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheCommons Collections3.2.1, 4.0

Vendor Advisories

Debian Bug report logs - #857343 logback: CVE-2017-5929: serialization vulnerability affecting the SocketServer and ServerSocketReceiver components Package: liblogback-java; Maintainer for liblogback-java is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for liblogback-java is src:logback (PTS, buildd ...
A vulnerability in the Java deserialization used by the Apache Commons Collections (ACC) library could allow an unauthenticated, remote attacker to execute arbitrary code The vulnerability is due to insecure deserialization of user-supplied content by the affected software An attacker could exploit this vulnerability by submitting crafted input ...
IBM Security Privileged Identity Manager has addressed the following security vulnerabilities ...
Oracle Critical Patch Update Advisory - July 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...

Github Repositories

example-java-maven Example Java (maven) repository containing fake data with vulnerable dependencies There is at least one vulnerable dependency in this repository: CVE-2015-6420: Vulnerability in Java Deserialization (webnvdnistgov/view/vuln/detail?vulnId=CVE-2015-6420) Run OWASP Dependency Check Maven Plugin mvn orgowasp:dependency-check-maven:check

Java-Deserialization-Cheat-Sheet A cheat sheet for pentesters and researchers about deserialization vulnerabilities in various Java (JVM) serialization libraries Please, use #javadeser hash tag for tweets Table of content Java Native Serialization (binary) Overview Main talks & presentations & docs Payload generators Exploits Detect Vulnerable apps (without