Bug 1279330 (CVE-2015-7501)
| Summary: | CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Timothy Walsh <twalsh> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | urgent | Docs Contact: | |||||
| Priority: | urgent | ||||||
| Version: | unspecified | CC: | acathrow, aileenc, alazarot, anstephe, asantos, aszczucz, bazulay, bbaranow, bdawidow, bkearney, bleanhar, bmaxwell, bmcclain, brms-jira, btotty, cbillett, ccoleman, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dblechte, dereed, dmcphers, dosoudil, epp-bugs, etirelli, felias, fnasser, gagriogi, gvarsami, hfnukal, hhorak, huwang, idith, iheim, jaeshin, janstey, jason.greene, java-maint, jawilson, jboss-set, jbpapp-maint, jcoleman, jdetiber, jdg-bugs, jialiu, jkeck, jkejda, jokerman, jolee, jorton, jpallich, jshepherd, katello-bugs, kconner, kseifried, ldimaggi, lgao, lmeyer, lpetrovi, lsurette, mbaluch, miburman, michal.skrivanek, mmccomas, msrb, mweiler, mwinkler, myarboro, nuno.m.mendes, nwallace, omajid, pavelp, pcheung, pgier, psakar, psampaio, pslavice, qe-baseos-apps, rbalakri, Rhev-m-bugs, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, sardella, sauchter, security-response-team, sgehwolf, sjacobs, slong, soa-p-jira, spinder, tcunning, theute, tkirby, tomckay, ttarrant, twalsh, vhalbert, vtunka, yeylon, ykaul, ylavi | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | apache-commons-collections 3.2.2, apache-commons-collections 4.1 | Doc Type: | Bug Fix | ||||
| Doc Text: |
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-04-11 16:01:53 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1279748, 1280203, 1281232, 1281233, 1281235, 1281236, 1281237, 1281240, 1281241, 1281494, 1281495, 1281496, 1281497, 1281498, 1281499, 1281500, 1281501, 1281502, 1281503, 1281504, 1281505, 1281506, 1281507, 1281508, 1281510, 1281511, 1281512, 1281513, 1281514, 1281515, 1281516, 1281518, 1281962, 1281963, 1281964, 1281965, 1281966, 1282545, 1282548, 1282598, 1282735, 1282865, 1282866, 1282905, 1283059, 1283080, 1283081, 1285153, 1285387, 1285388, 1286846, 1286849, 1287177, 1287179, 1288167, 1290898, 1291131, 1293691, 1306631, 1339333, 1352018, 1888100 | ||||||
| Bug Blocks: | 1279264, 1284692, 1284753, 1285990, 1286524, 1288285, 1293205, 1320308 | ||||||
| Attachments: |
|
||||||
|
Description
Timothy Walsh
2015-11-09 08:17:30 UTC
This was addressed back in 2012: https://access.redhat.com/security/cve/CVE-2012-0874 While we have the JMXInvokerHAServlet secured now in EAP 5, we're treating this bug as the ability for commons-collections to execute code during deserialization. Can the patched commons-collection jar be pushed to MRRC so that we can pick it up for Fuse builds? Created attachment 1095089 [details]
EAP 5 RHEL-6 build, signed
Following investigations by Red Hat Product Security and Red Hat GSS we have raised the priority of this issue. This issue has been addressed in the following products: JBoss Data Grid 6.4.1 JBoss Data Grid 6.5.1 Via RHSA-2015:2502 https://rhn.redhat.com/errata/RHSA-2015-2502.html This issue has been addressed in the following products: JBoss Enterprise Application Platform Via RHSA-2015:2501 https://rhn.redhat.com/errata/RHSA-2015-2501.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 JBEAP 6.4.z for RHEL 6 JBEAP 6.4.z for RHEL 5 Via RHSA-2015:2500 https://rhn.redhat.com/errata/RHSA-2015-2500.html The research by FoxGlove Security linked in comment 0 was based on earlier work: "Marshalling Pickles" by Gabriel Lawrence and Chris Frohoff http://frohoff.github.io/appseccali-marshalling-pickles/ The Apache Software Foundation published a blog post with their statement on the issue: https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread Upstream bug for the Apache Commons Collections is: https://issues.apache.org/jira/browse/COLLECTIONS-580 The issue was addressed in Commons Collections by disabling deserialization of the affected InvokerTransformer class, plus a set of other classes that are considered unsafe for deserialization (CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure). Deserialization of those classes can be re-enabled using the newly introduced system property "org.apache.commons.collections.enableUnsafeSerialization". The following patches were applied upstream in the 3.2.x branch: http://svn.apache.org/viewvc?view=revision&revision=1713307 http://svn.apache.org/viewvc?view=revision&revision=1713537 http://svn.apache.org/viewvc?view=revision&revision=1713845 These changes were applied in upstream Apache Commons Collections version 3.2.2 and should also be included in version 4.1: https://commons.apache.org/proper/commons-collections/release_3_2_2.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 5.2 JBoss Enterprise Application Platform 5.1.2 JBoss Enterprise Application Platform 4.3.10 Via RHSA-2015:2514 https://rhn.redhat.com/errata/RHSA-2015-2514.html This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2015:2516 https://rhn.redhat.com/errata/RHSA-2015-2516.html This issue has been addressed in the following products: Red Hat Fuse Service Works 6.0.0 Via RHSA-2015:2517 https://rhn.redhat.com/errata/RHSA-2015-2517.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:2521 https://rhn.redhat.com/errata/RHSA-2015-2521.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:2521 https://rhn.redhat.com/errata/RHSA-2015-2521.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Via RHSA-2015:2523 https://rhn.redhat.com/errata/RHSA-2015-2523.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:2522 https://rhn.redhat.com/errata/RHSA-2015-2522.html This issue has been addressed in the following products: JBoss Operations Network 3.3.4 Via RHSA-2015:2524 https://rhn.redhat.com/errata/RHSA-2015-2524.html This issue has been addressed in the following products:
Red Hat JBoss Data Virtualization 6.0.0
Red Hat JBoss Data Virtualization 6.1.0
Red Hat JBoss Data Virtualization 6.2.0
Via RHSA-2015:2534 https://rhn.redhat.com/errata/RHSA-2015-2534.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:2537 https://rhn.redhat.com/errata/RHSA-2015-2537.html This issue has been addressed in the following products: JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 6 Via RHSA-2015:2535 https://rhn.redhat.com/errata/RHSA-2015-2535.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 JBEAP 6.3.z for RHEL 5 JBEAP 6.3.z for RHEL 7 Via RHSA-2015:2536 https://rhn.redhat.com/errata/RHSA-2015-2536.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.5 Via RHSA-2015:2541 https://rhn.redhat.com/errata/RHSA-2015-2541.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:2539 https://rhn.redhat.com/errata/RHSA-2015-2539.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:2538 https://rhn.redhat.com/errata/RHSA-2015-2538.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:2540 https://rhn.redhat.com/errata/RHSA-2015-2540.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:2542 https://rhn.redhat.com/errata/RHSA-2015-2542.html This issue has been addressed in the following products: JBoss Web Server 3.0.1 Via RHSA-2015:2548 https://rhn.redhat.com/errata/RHSA-2015-2548.html This issue has been addressed in the following products: JBoss Operations Network 3.2.3 Via RHSA-2015:2547 https://rhn.redhat.com/errata/RHSA-2015-2547.html Statement: This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata. This issue has been addressed in the following products: JBoss BPM Suite 6.2.0 Via RHSA-2015:2560 https://rhn.redhat.com/errata/RHSA-2015-2560.html This issue has been addressed in the following products: JBoss BRMS 6.2.0 Via RHSA-2015:2559 https://rhn.redhat.com/errata/RHSA-2015-2559.html This issue has been addressed in the following products: JBoss A-MQ 6.2.1 Via RHSA-2015:2557 https://rhn.redhat.com/errata/RHSA-2015-2557.html This issue has been addressed in the following products: JBoss Fuse 6.2.1 Via RHSA-2015:2556 https://rhn.redhat.com/errata/RHSA-2015-2556.html This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:2579 https://rhn.redhat.com/errata/RHSA-2015-2579.html This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:2578 https://rhn.redhat.com/errata/RHSA-2015-2578.html This issue has been addressed in the following products: Red Hat JBoss BRMS 5.3.1 Via RHSA-2015:2670 https://rhn.redhat.com/errata/RHSA-2015-2670.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2015:2671 https://rhn.redhat.com/errata/RHSA-2015-2671.html This issue has been addressed in the following products: Red Hat JBoss Operations Network 3.1.2 Hotfix 11 Via RHSA-2016:0040 https://rhn.redhat.com/errata/RHSA-2016-0040.html This issue has been addressed in the following products: Red Hat JBoss Operations Network 3.3.5 Via RHSA-2016:0118 https://rhn.redhat.com/errata/RHSA-2016-0118.html This issue has been addressed in the following products: Red Hat OpenShift Enterprise 2.2 Via RHSA-2016:1773 https://rhn.redhat.com/errata/RHSA-2016-1773.html This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:4274 https://access.redhat.com/errata/RHSA-2020:4274 |