Home / vulnerabilities Red Hat Security Advisory 2015-2548-01
Posted on 05 December 2015
Source : packetstormsecurity.org Link
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: Red Hat JBoss Web Server 3.0.1 commons-collections security update
Advisory ID: RHSA-2015:2548-01
Product: Red Hat JBoss Web Server
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2548.html
Issue date: 2015-12-04
CVE Names: CVE-2015-7501
=====================================================================
1. Summary:
An update for Red Hat JBoss Web Server 3.0.1 that fixes one security issue
in the Apache commons-collections library is now available.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. The Apache Commons
Collections library provides new interfaces, implementations, and
utilities to extend the features of the Java Collections Framework.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
Further information about the commons-collections flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of Red Hat JBoss Web Server 3.0.1 are advised to apply this
update. The Red Hat JBoss Web Server process must be restarted for the
update to take effect.
3. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied, and back up your existing Red
Hat JBoss Web Server installation (including all applications and
configuration files).
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
5. References:
https://access.redhat.com/security/cve/CVE-2015-7501
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=webserver&version=3.0.1
https://access.redhat.com/solutions/2045023
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWYcp4XlSAg2UNWIIRAhaYAJ4j8HXP3iVatPUQbDCWSbz4IwfGBQCaArjy
m1nM39Q7LszNvSm04SZ9Hlo=
=6+gW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
