Bug 1279330 (CVE-2015-7501) - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
Summary: CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution d...
Status: CLOSED ERRATA
Alias: CVE-2015-7501
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20151106,repor...
Keywords: Security
Depends On: 1281505 1282598 1282735 1306631 1339333 1279748 1280203 1281232 1281233 1281235 1281236 1281237 1281240 1281241 1281494 1281495 1281496 1281497 1281498 1281499 1281500 1281501 1281502 1281503 1281504 1281506 1281507 1281508 1281510 1281511 1281512 1281513 1281514 1281515 1281516 1281518 1281962 1281963 1281964 1281965 1281966 1282545 1282548 1282865 1282866 1282905 1283059 1283080 1283081 1285153 1285387 1285388 1286846 1286849 1287177 1287179 1288167 1290898 1291131 1293691 1352018
Blocks: 1279264 1284692 1284753 1285990 1286524 1288285 1293205 1320308
TreeView+ depends on / blocked
 
Reported: 2015-11-09 08:17 UTC by Timothy Walsh
Modified: 2017-10-19 07:53 UTC (History)
102 users (show)

Fixed In Version: apache-commons-collections 3.2.2, apache-commons-collections 4.1
Doc Type: Bug Fix
Doc Text:
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-04-11 16:01:53 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
EAP 5 RHEL-6 build, signed (615.22 KB, text/plain)
2015-11-16 21:08 UTC, Fernando Nasser
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2500 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4 security update 2015-11-21 00:17:48 UTC
Red Hat Product Errata RHSA-2015:2501 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform security update 2015-11-20 23:31:33 UTC
Red Hat Product Errata RHSA-2015:2502 normal SHIPPED_LIVE Critical: Red Hat JBoss Data Grid 6.4.1 and 6.5.1 commons-collections security update 2015-11-20 23:30:38 UTC
Red Hat Product Errata RHSA-2015:2514 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform security update 2015-11-24 23:03:01 UTC
Red Hat Product Errata RHSA-2015:2516 normal SHIPPED_LIVE Critical: Red Hat JBoss SOA Platform 5.3.1 commons-collections security update 2015-11-26 01:37:38 UTC
Red Hat Product Errata RHSA-2015:2517 normal SHIPPED_LIVE Critical: Red Hat Fuse Service Works 6.0.0 commons-collections security update 2015-11-26 01:56:18 UTC
Red Hat Product Errata RHSA-2015:2521 normal SHIPPED_LIVE Important: jakarta-commons-collections security update 2015-11-30 09:40:14 UTC
Red Hat Product Errata RHSA-2015:2522 normal SHIPPED_LIVE Important: apache-commons-collections security update 2015-11-30 19:19:35 UTC
Red Hat Product Errata RHSA-2015:2523 normal SHIPPED_LIVE Important: rh-java-common-apache-commons-collections security update 2015-11-30 13:19:52 UTC
Red Hat Product Errata RHSA-2015:2524 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.3.4 security update 2015-11-30 21:07:35 UTC
Red Hat Product Errata RHSA-2015:2534 normal SHIPPED_LIVE Critical: Red Hat JBoss Data Virtualization 6.0.0, 6.1.0, and 6.2.0 security update 2015-12-02 00:10:17 UTC
Red Hat Product Errata RHSA-2015:2535 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update 2015-12-02 01:25:39 UTC
Red Hat Product Errata RHSA-2015:2536 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.3 security update 2015-12-02 01:39:28 UTC
Red Hat Product Errata RHSA-2015:2537 normal SHIPPED_LIVE Critical: Red Hat JBoss Portal 6.2.0 commons-collections security update 2015-12-02 01:25:32 UTC
Red Hat Product Errata RHSA-2015:2538 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 22:16:00 UTC
Red Hat Product Errata RHSA-2015:2539 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 22:14:48 UTC
Red Hat Product Errata RHSA-2015:2540 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 22:33:17 UTC
Red Hat Product Errata RHSA-2015:2541 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 21:58:57 UTC
Red Hat Product Errata RHSA-2015:2542 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 jboss-ec2-eap update 2015-12-02 22:48:07 UTC
Red Hat Product Errata RHSA-2015:2547 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.2.3 security update 2015-12-04 22:12:47 UTC
Red Hat Product Errata RHSA-2015:2548 normal SHIPPED_LIVE Critical: Red Hat JBoss Web Server 3.0.1 commons-collections security update 2015-12-04 22:12:42 UTC
Red Hat Product Errata RHSA-2015:2556 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.2.1 update 2015-12-08 01:46:59 UTC
Red Hat Product Errata RHSA-2015:2557 normal SHIPPED_LIVE Important: Red Hat JBoss A-MQ 6.2.1 update 2015-12-08 01:46:54 UTC
Red Hat Product Errata RHSA-2015:2559 normal SHIPPED_LIVE Critical: Red Hat JBoss BRMS 6.2.0 update 2015-12-08 01:46:42 UTC
Red Hat Product Errata RHSA-2015:2560 normal SHIPPED_LIVE Critical: Red Hat JBoss BPM Suite 6.2.0 update 2015-12-08 01:46:36 UTC
Red Hat Product Errata RHSA-2015:2578 normal SHIPPED_LIVE Critical: Red Hat JBoss BRMS 6.1.0 commons-collections security update 2015-12-08 21:18:42 UTC
Red Hat Product Errata RHSA-2015:2579 normal SHIPPED_LIVE Critical: Red Hat JBoss BPM Suite 6.1.0 commons-collections security update 2015-12-08 21:18:35 UTC
Red Hat Product Errata RHSA-2015:2670 normal SHIPPED_LIVE Critical: Red Hat JBoss BRMS 5.3.1 commons-collections security update 2015-12-19 02:17:13 UTC
Red Hat Product Errata RHSA-2015:2671 normal SHIPPED_LIVE Important: jakarta-commons-collections security update 2015-12-21 11:05:28 UTC
Red Hat Product Errata RHSA-2016:0040 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.1.2 Hotfix 11 update 2016-01-14 23:34:55 UTC
Red Hat Product Errata RHSA-2016:0118 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.3.5 update 2016-02-03 20:00:55 UTC
Red Hat Product Errata RHSA-2016:1773 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 2.2.10 security, bug fix, and enhancement update 2016-08-24 23:41:18 UTC
Red Hat Knowledge Base (Solution) 2065203 None None None Never

Description Timothy Walsh 2015-11-09 08:17:30 UTC
It was found that a flaw in commons-collection library allowed remote code execution wherever deserialization occurs. While JBoss doesnt expose the JMXInvokerServlet by default, other interfaces where deserialization occur might be vulnerable.

Note: classes directly referenced by this flaw:
InvokerTransformer, InstantiateFactory, and InstantiateTransformer

External References:

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://access.redhat.com/solutions/2045023

Comment 2 Jason Shepherd 2015-11-10 02:26:29 UTC
This was addressed back in 2012:

   https://access.redhat.com/security/cve/CVE-2012-0874

While we have the JMXInvokerHAServlet secured now in EAP 5, we're treating this bug as the ability for commons-collections to execute code during deserialization.

Comment 18 Aileen 2015-11-16 14:32:04 UTC
Can the patched commons-collection jar be pushed to MRRC so that we can pick it up for Fuse builds?

Comment 19 Fernando Nasser 2015-11-16 21:08 UTC
Created attachment 1095089 [details]
EAP 5 RHEL-6 build, signed

Comment 20 Timothy Walsh 2015-11-16 22:59:18 UTC
Following investigations by Red Hat Product Security and Red Hat GSS we have raised the priority of this issue.

Comment 32 errata-xmlrpc 2015-11-20 18:31:45 UTC
This issue has been addressed in the following products:

  JBoss Data Grid 6.4.1
  JBoss Data Grid 6.5.1

Via RHSA-2015:2502 https://rhn.redhat.com/errata/RHSA-2015-2502.html

Comment 33 errata-xmlrpc 2015-11-20 18:33:16 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform

Via RHSA-2015:2501 https://rhn.redhat.com/errata/RHSA-2015-2501.html

Comment 34 errata-xmlrpc 2015-11-20 19:18:01 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7
  JBEAP 6.4.z for RHEL 6
  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:2500 https://rhn.redhat.com/errata/RHSA-2015-2500.html

Comment 35 Tomas Hoger 2015-11-24 14:29:02 UTC
The research by FoxGlove Security linked in comment 0 was based on earlier work:

"Marshalling Pickles" by Gabriel Lawrence and Chris Frohoff
http://frohoff.github.io/appseccali-marshalling-pickles/

The Apache Software Foundation published a blog post with their statement on the issue:

https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

Upstream bug for the Apache Commons Collections is:

https://issues.apache.org/jira/browse/COLLECTIONS-580

The issue was addressed in Commons Collections by disabling deserialization of the affected InvokerTransformer class, plus a set of other classes that are considered unsafe for deserialization (CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure).  Deserialization of those classes can be re-enabled using the newly introduced system property "org.apache.commons.collections.enableUnsafeSerialization".

The following patches were applied upstream in the 3.2.x branch:

http://svn.apache.org/viewvc?view=revision&revision=1713307
http://svn.apache.org/viewvc?view=revision&revision=1713537
http://svn.apache.org/viewvc?view=revision&revision=1713845

These changes were applied in upstream Apache Commons Collections version 3.2.2 and should also be included in version 4.1:

https://commons.apache.org/proper/commons-collections/release_3_2_2.html

Comment 36 errata-xmlrpc 2015-11-24 18:03:11 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 5.2
  JBoss Enterprise Application Platform 5.1.2
  JBoss Enterprise Application Platform 4.3.10

Via RHSA-2015:2514 https://rhn.redhat.com/errata/RHSA-2015-2514.html

Comment 41 errata-xmlrpc 2015-11-25 20:37:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2015:2516 https://rhn.redhat.com/errata/RHSA-2015-2516.html

Comment 42 errata-xmlrpc 2015-11-25 20:56:43 UTC
This issue has been addressed in the following products:

  Red Hat Fuse Service Works 6.0.0

Via RHSA-2015:2517 https://rhn.redhat.com/errata/RHSA-2015-2517.html

Comment 45 errata-xmlrpc 2015-11-30 04:40:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2521 https://rhn.redhat.com/errata/RHSA-2015-2521.html

Comment 46 errata-xmlrpc 2015-11-30 04:44:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2521 https://rhn.redhat.com/errata/RHSA-2015-2521.html

Comment 47 errata-xmlrpc 2015-11-30 08:20:06 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2015:2523 https://rhn.redhat.com/errata/RHSA-2015-2523.html

Comment 48 errata-xmlrpc 2015-11-30 14:19:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2522 https://rhn.redhat.com/errata/RHSA-2015-2522.html

Comment 49 errata-xmlrpc 2015-11-30 16:07:43 UTC
This issue has been addressed in the following products:

  JBoss Operations Network 3.3.4

Via RHSA-2015:2524 https://rhn.redhat.com/errata/RHSA-2015-2524.html

Comment 50 errata-xmlrpc 2015-12-01 19:10:25 UTC
This issue has been addressed in the following products:

    Red Hat JBoss Data Virtualization 6.0.0
    Red Hat JBoss Data Virtualization 6.1.0
    Red Hat JBoss Data Virtualization 6.2.0

Via RHSA-2015:2534 https://rhn.redhat.com/errata/RHSA-2015-2534.html

Comment 51 errata-xmlrpc 2015-12-01 20:26:07 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:2537 https://rhn.redhat.com/errata/RHSA-2015-2537.html

Comment 52 errata-xmlrpc 2015-12-01 20:27:10 UTC
This issue has been addressed in the following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 6

Via RHSA-2015:2535 https://rhn.redhat.com/errata/RHSA-2015-2535.html

Comment 53 errata-xmlrpc 2015-12-01 20:41:30 UTC
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 6
  JBEAP 6.3.z for RHEL 5
  JBEAP 6.3.z for RHEL 7

Via RHSA-2015:2536 https://rhn.redhat.com/errata/RHSA-2015-2536.html

Comment 54 errata-xmlrpc 2015-12-02 17:00:08 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.5

Via RHSA-2015:2541 https://rhn.redhat.com/errata/RHSA-2015-2541.html

Comment 55 errata-xmlrpc 2015-12-02 17:19:25 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2539 https://rhn.redhat.com/errata/RHSA-2015-2539.html

Comment 56 errata-xmlrpc 2015-12-02 17:20:48 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:2538 https://rhn.redhat.com/errata/RHSA-2015-2538.html

Comment 57 errata-xmlrpc 2015-12-02 17:35:36 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:2540 https://rhn.redhat.com/errata/RHSA-2015-2540.html

Comment 58 errata-xmlrpc 2015-12-02 17:48:45 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2542 https://rhn.redhat.com/errata/RHSA-2015-2542.html

Comment 60 errata-xmlrpc 2015-12-04 17:13:02 UTC
This issue has been addressed in the following products:

  JBoss Web Server 3.0.1

Via RHSA-2015:2548 https://rhn.redhat.com/errata/RHSA-2015-2548.html

Comment 61 errata-xmlrpc 2015-12-04 17:13:55 UTC
This issue has been addressed in the following products:

  JBoss Operations Network 3.2.3

Via RHSA-2015:2547 https://rhn.redhat.com/errata/RHSA-2015-2547.html

Comment 62 Chess Hazlett 2015-12-07 18:03:44 UTC
Statement:

This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.

Comment 63 errata-xmlrpc 2015-12-07 20:48:11 UTC
This issue has been addressed in the following products:

  JBoss BPM Suite 6.2.0

Via RHSA-2015:2560 https://rhn.redhat.com/errata/RHSA-2015-2560.html

Comment 64 errata-xmlrpc 2015-12-07 20:50:11 UTC
This issue has been addressed in the following products:

  JBoss BRMS 6.2.0

Via RHSA-2015:2559 https://rhn.redhat.com/errata/RHSA-2015-2559.html

Comment 65 errata-xmlrpc 2015-12-07 20:53:21 UTC
This issue has been addressed in the following products:

  JBoss A-MQ 6.2.1

Via RHSA-2015:2557 https://rhn.redhat.com/errata/RHSA-2015-2557.html

Comment 66 errata-xmlrpc 2015-12-07 20:54:50 UTC
This issue has been addressed in the following products:

  JBoss Fuse 6.2.1

Via RHSA-2015:2556 https://rhn.redhat.com/errata/RHSA-2015-2556.html

Comment 67 errata-xmlrpc 2015-12-08 16:18:55 UTC
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:2579 https://rhn.redhat.com/errata/RHSA-2015-2579.html

Comment 68 errata-xmlrpc 2015-12-08 16:19:57 UTC
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:2578 https://rhn.redhat.com/errata/RHSA-2015-2578.html

Comment 71 errata-xmlrpc 2015-12-18 21:17:20 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2015:2670 https://rhn.redhat.com/errata/RHSA-2015-2670.html

Comment 73 errata-xmlrpc 2015-12-21 06:05:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:2671 https://rhn.redhat.com/errata/RHSA-2015-2671.html

Comment 75 errata-xmlrpc 2016-01-14 18:37:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network 3.1.2 Hotfix 11

Via RHSA-2016:0040 https://rhn.redhat.com/errata/RHSA-2016-0040.html

Comment 76 errata-xmlrpc 2016-02-03 15:03:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network 3.3.5 

Via RHSA-2016:0118 https://rhn.redhat.com/errata/RHSA-2016-0118.html

Comment 79 errata-xmlrpc 2016-08-24 19:43:20 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.2

Via RHSA-2016:1773 https://rhn.redhat.com/errata/RHSA-2016-1773.html


Note You need to log in before you can comment on or make changes to this bug.