Bug 1279330 (CVE-2015-7501) - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
Summary: CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution d...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-7501
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1279748 1280203 1281232 1281233 1281235 1281236 1281237 1281240 1281241 1281494 1281495 1281496 1281497 1281498 1281499 1281500 1281501 1281502 1281503 1281504 1281505 1281506 1281507 1281508 1281510 1281511 1281512 1281513 1281514 1281515 1281516 1281518 1281962 1281963 1281964 1281965 1281966 1282545 1282548 1282598 1282735 1282865 1282866 1282905 1283059 1283080 1283081 1285153 1285387 1285388 1286846 1286849 1287177 1287179 1288167 1290898 1291131 1293691 1306631 1339333 1352018 1888100
Blocks: 1279264 1284692 1284753 1285990 1286524 1288285 1293205 1320308
TreeView+ depends on / blocked
 
Reported: 2015-11-09 08:17 UTC by Timothy Walsh
Modified: 2021-02-17 04:44 UTC (History)
107 users (show)

Fixed In Version: apache-commons-collections 3.2.2, apache-commons-collections 4.1
Doc Type: Bug Fix
Doc Text:
It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
Clone Of:
Environment:
Last Closed: 2016-04-11 16:01:53 UTC
Embargoed:

Attachments (Terms of Use)
EAP 5 RHEL-6 build, signed (615.22 KB, text/plain)
2015-11-16 21:08 UTC, Fernando Nasser 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2065203 0 None None None Never
Red Hat Product Errata RHSA-2015:2500 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4 security update 2015-11-21 00:17:48 UTC
Red Hat Product Errata RHSA-2015:2501 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform security update 2015-11-20 23:31:33 UTC
Red Hat Product Errata RHSA-2015:2502 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Data Grid 6.4.1 and 6.5.1 commons-collections security update 2015-11-20 23:30:38 UTC
Red Hat Product Errata RHSA-2015:2514 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform security update 2015-11-24 23:03:01 UTC
Red Hat Product Errata RHSA-2015:2516 0 normal SHIPPED_LIVE Critical: Red Hat JBoss SOA Platform 5.3.1 commons-collections security update 2015-11-26 01:37:38 UTC
Red Hat Product Errata RHSA-2015:2517 0 normal SHIPPED_LIVE Critical: Red Hat Fuse Service Works 6.0.0 commons-collections security update 2015-11-26 01:56:18 UTC
Red Hat Product Errata RHSA-2015:2521 0 normal SHIPPED_LIVE Important: jakarta-commons-collections security update 2015-11-30 09:40:14 UTC
Red Hat Product Errata RHSA-2015:2522 0 normal SHIPPED_LIVE Important: apache-commons-collections security update 2015-11-30 19:19:35 UTC
Red Hat Product Errata RHSA-2015:2523 0 normal SHIPPED_LIVE Important: rh-java-common-apache-commons-collections security update 2015-11-30 13:19:52 UTC
Red Hat Product Errata RHSA-2015:2524 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.3.4 security update 2015-11-30 21:07:35 UTC
Red Hat Product Errata RHSA-2015:2534 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Data Virtualization 6.0.0, 6.1.0, and 6.2.0 security update 2015-12-02 00:10:17 UTC
Red Hat Product Errata RHSA-2015:2535 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update 2015-12-02 01:25:39 UTC
Red Hat Product Errata RHSA-2015:2536 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.3 security update 2015-12-02 01:39:28 UTC
Red Hat Product Errata RHSA-2015:2537 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Portal 6.2.0 commons-collections security update 2015-12-02 01:25:32 UTC
Red Hat Product Errata RHSA-2015:2538 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 22:16:00 UTC
Red Hat Product Errata RHSA-2015:2539 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 22:14:48 UTC
Red Hat Product Errata RHSA-2015:2540 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 22:33:17 UTC
Red Hat Product Errata RHSA-2015:2541 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 21:58:57 UTC
Red Hat Product Errata RHSA-2015:2542 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 jboss-ec2-eap update 2015-12-02 22:48:07 UTC
Red Hat Product Errata RHSA-2015:2547 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.2.3 security update 2015-12-04 22:12:47 UTC
Red Hat Product Errata RHSA-2015:2548 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Web Server 3.0.1 commons-collections security update 2015-12-04 22:12:42 UTC
Red Hat Product Errata RHSA-2015:2556 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.2.1 update 2015-12-08 01:46:59 UTC
Red Hat Product Errata RHSA-2015:2557 0 normal SHIPPED_LIVE Important: Red Hat JBoss A-MQ 6.2.1 update 2015-12-08 01:46:54 UTC
Red Hat Product Errata RHSA-2015:2559 0 normal SHIPPED_LIVE Critical: Red Hat JBoss BRMS 6.2.0 update 2015-12-08 01:46:42 UTC
Red Hat Product Errata RHSA-2015:2560 0 normal SHIPPED_LIVE Critical: Red Hat JBoss BPM Suite 6.2.0 update 2015-12-08 01:46:36 UTC
Red Hat Product Errata RHSA-2015:2578 0 normal SHIPPED_LIVE Critical: Red Hat JBoss BRMS 6.1.0 commons-collections security update 2015-12-08 21:18:42 UTC
Red Hat Product Errata RHSA-2015:2579 0 normal SHIPPED_LIVE Critical: Red Hat JBoss BPM Suite 6.1.0 commons-collections security update 2015-12-08 21:18:35 UTC
Red Hat Product Errata RHSA-2015:2670 0 normal SHIPPED_LIVE Critical: Red Hat JBoss BRMS 5.3.1 commons-collections security update 2015-12-19 02:17:13 UTC
Red Hat Product Errata RHSA-2015:2671 0 normal SHIPPED_LIVE Important: jakarta-commons-collections security update 2015-12-21 11:05:28 UTC
Red Hat Product Errata RHSA-2016:0040 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.1.2 Hotfix 11 update 2016-01-14 23:34:55 UTC
Red Hat Product Errata RHSA-2016:0118 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.3.5 update 2016-02-03 20:00:55 UTC
Red Hat Product Errata RHSA-2016:1773 0 normal SHIPPED_LIVE Important: Red Hat OpenShift Enterprise 2.2.10 security, bug fix, and enhancement update 2016-08-24 23:41:18 UTC
Red Hat Product Errata RHSA-2020:4274 0 None None None 2020-10-19 09:43:15 UTC

Description Timothy Walsh 2015-11-09 08:17:30 UTC 
It was found that a flaw in commons-collection library allowed remote code execution wherever deserialization occurs. While JBoss doesnt expose the JMXInvokerServlet by default, other interfaces where deserialization occur might be vulnerable.

Note: classes directly referenced by this flaw:
InvokerTransformer, InstantiateFactory, and InstantiateTransformer

External References:

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://access.redhat.com/solutions/2045023
Comment 2 Jason Shepherd 2015-11-10 02:26:29 UTC 
This was addressed back in 2012:

   https://access.redhat.com/security/cve/CVE-2012-0874

While we have the JMXInvokerHAServlet secured now in EAP 5, we're treating this bug as the ability for commons-collections to execute code during deserialization.
Comment 18 Aileen 2015-11-16 14:32:04 UTC 
Can the patched commons-collection jar be pushed to MRRC so that we can pick it up for Fuse builds?
Comment 19 Fernando Nasser 2015-11-16 21:08:51 UTC 
Created attachment 1095089 [details]
EAP 5 RHEL-6 build, signed
Comment 20 Timothy Walsh 2015-11-16 22:59:18 UTC 
Following investigations by Red Hat Product Security and Red Hat GSS we have raised the priority of this issue.
Comment 32 errata-xmlrpc 2015-11-20 18:31:45 UTC 
This issue has been addressed in the following products:

  JBoss Data Grid 6.4.1
  JBoss Data Grid 6.5.1

Via RHSA-2015:2502 https://rhn.redhat.com/errata/RHSA-2015-2502.html
Comment 33 errata-xmlrpc 2015-11-20 18:33:16 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform

Via RHSA-2015:2501 https://rhn.redhat.com/errata/RHSA-2015-2501.html
Comment 34 errata-xmlrpc 2015-11-20 19:18:01 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7
  JBEAP 6.4.z for RHEL 6
  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:2500 https://rhn.redhat.com/errata/RHSA-2015-2500.html
Comment 35 Tomas Hoger 2015-11-24 14:29:02 UTC 
The research by FoxGlove Security linked in comment 0 was based on earlier work:

"Marshalling Pickles" by Gabriel Lawrence and Chris Frohoff
http://frohoff.github.io/appseccali-marshalling-pickles/

The Apache Software Foundation published a blog post with their statement on the issue:

https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread

Upstream bug for the Apache Commons Collections is:

https://issues.apache.org/jira/browse/COLLECTIONS-580

The issue was addressed in Commons Collections by disabling deserialization of the affected InvokerTransformer class, plus a set of other classes that are considered unsafe for deserialization (CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure).  Deserialization of those classes can be re-enabled using the newly introduced system property "org.apache.commons.collections.enableUnsafeSerialization".

The following patches were applied upstream in the 3.2.x branch:

http://svn.apache.org/viewvc?view=revision&revision=1713307
http://svn.apache.org/viewvc?view=revision&revision=1713537
http://svn.apache.org/viewvc?view=revision&revision=1713845

These changes were applied in upstream Apache Commons Collections version 3.2.2 and should also be included in version 4.1:

https://commons.apache.org/proper/commons-collections/release_3_2_2.html
Comment 36 errata-xmlrpc 2015-11-24 18:03:11 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 5.2
  JBoss Enterprise Application Platform 5.1.2
  JBoss Enterprise Application Platform 4.3.10

Via RHSA-2015:2514 https://rhn.redhat.com/errata/RHSA-2015-2514.html
Comment 41 errata-xmlrpc 2015-11-25 20:37:46 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2015:2516 https://rhn.redhat.com/errata/RHSA-2015-2516.html
Comment 42 errata-xmlrpc 2015-11-25 20:56:43 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse Service Works 6.0.0

Via RHSA-2015:2517 https://rhn.redhat.com/errata/RHSA-2015-2517.html
Comment 45 errata-xmlrpc 2015-11-30 04:40:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2521 https://rhn.redhat.com/errata/RHSA-2015-2521.html
Comment 46 errata-xmlrpc 2015-11-30 04:44:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2521 https://rhn.redhat.com/errata/RHSA-2015-2521.html
Comment 47 errata-xmlrpc 2015-11-30 08:20:06 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS

Via RHSA-2015:2523 https://rhn.redhat.com/errata/RHSA-2015-2523.html
Comment 48 errata-xmlrpc 2015-11-30 14:19:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2522 https://rhn.redhat.com/errata/RHSA-2015-2522.html
Comment 49 errata-xmlrpc 2015-11-30 16:07:43 UTC 
This issue has been addressed in the following products:

  JBoss Operations Network 3.3.4

Via RHSA-2015:2524 https://rhn.redhat.com/errata/RHSA-2015-2524.html
Comment 50 errata-xmlrpc 2015-12-01 19:10:25 UTC 
This issue has been addressed in the following products:

    Red Hat JBoss Data Virtualization 6.0.0
    Red Hat JBoss Data Virtualization 6.1.0
    Red Hat JBoss Data Virtualization 6.2.0

Via RHSA-2015:2534 https://rhn.redhat.com/errata/RHSA-2015-2534.html
Comment 51 errata-xmlrpc 2015-12-01 20:26:07 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:2537 https://rhn.redhat.com/errata/RHSA-2015-2537.html
Comment 52 errata-xmlrpc 2015-12-01 20:27:10 UTC 
This issue has been addressed in the following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 6

Via RHSA-2015:2535 https://rhn.redhat.com/errata/RHSA-2015-2535.html
Comment 53 errata-xmlrpc 2015-12-01 20:41:30 UTC 
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 6
  JBEAP 6.3.z for RHEL 5
  JBEAP 6.3.z for RHEL 7

Via RHSA-2015:2536 https://rhn.redhat.com/errata/RHSA-2015-2536.html
Comment 54 errata-xmlrpc 2015-12-02 17:00:08 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.5

Via RHSA-2015:2541 https://rhn.redhat.com/errata/RHSA-2015-2541.html
Comment 55 errata-xmlrpc 2015-12-02 17:19:25 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2539 https://rhn.redhat.com/errata/RHSA-2015-2539.html
Comment 56 errata-xmlrpc 2015-12-02 17:20:48 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:2538 https://rhn.redhat.com/errata/RHSA-2015-2538.html
Comment 57 errata-xmlrpc 2015-12-02 17:35:36 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:2540 https://rhn.redhat.com/errata/RHSA-2015-2540.html
Comment 58 errata-xmlrpc 2015-12-02 17:48:45 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2542 https://rhn.redhat.com/errata/RHSA-2015-2542.html
Comment 60 errata-xmlrpc 2015-12-04 17:13:02 UTC 
This issue has been addressed in the following products:

  JBoss Web Server 3.0.1

Via RHSA-2015:2548 https://rhn.redhat.com/errata/RHSA-2015-2548.html
Comment 61 errata-xmlrpc 2015-12-04 17:13:55 UTC 
This issue has been addressed in the following products:

  JBoss Operations Network 3.2.3

Via RHSA-2015:2547 https://rhn.redhat.com/errata/RHSA-2015-2547.html
Comment 62 Chess Hazlett 2015-12-07 18:03:44 UTC 
Statement:

This issue affects the Apache commons-collections library as shipped with Fuse 6.2.0 and A-MQ 6.2.0. However, this flaw is not known to be exploitable under supported scenarios in these product versions, and so has been assigned an impact of Important for these products and their respective errata.
Comment 63 errata-xmlrpc 2015-12-07 20:48:11 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.2.0

Via RHSA-2015:2560 https://rhn.redhat.com/errata/RHSA-2015-2560.html
Comment 64 errata-xmlrpc 2015-12-07 20:50:11 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.2.0

Via RHSA-2015:2559 https://rhn.redhat.com/errata/RHSA-2015-2559.html
Comment 65 errata-xmlrpc 2015-12-07 20:53:21 UTC 
This issue has been addressed in the following products:

  JBoss A-MQ 6.2.1

Via RHSA-2015:2557 https://rhn.redhat.com/errata/RHSA-2015-2557.html
Comment 66 errata-xmlrpc 2015-12-07 20:54:50 UTC 
This issue has been addressed in the following products:

  JBoss Fuse 6.2.1

Via RHSA-2015:2556 https://rhn.redhat.com/errata/RHSA-2015-2556.html
Comment 67 errata-xmlrpc 2015-12-08 16:18:55 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:2579 https://rhn.redhat.com/errata/RHSA-2015-2579.html
Comment 68 errata-xmlrpc 2015-12-08 16:19:57 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:2578 https://rhn.redhat.com/errata/RHSA-2015-2578.html
Comment 71 errata-xmlrpc 2015-12-18 21:17:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2015:2670 https://rhn.redhat.com/errata/RHSA-2015-2670.html
Comment 73 errata-xmlrpc 2015-12-21 06:05:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2015:2671 https://rhn.redhat.com/errata/RHSA-2015-2671.html
Comment 75 errata-xmlrpc 2016-01-14 18:37:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network 3.1.2 Hotfix 11

Via RHSA-2016:0040 https://rhn.redhat.com/errata/RHSA-2016-0040.html
Comment 76 errata-xmlrpc 2016-02-03 15:03:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network 3.3.5 

Via RHSA-2016:0118 https://rhn.redhat.com/errata/RHSA-2016-0118.html
Comment 79 errata-xmlrpc 2016-08-24 19:43:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.2

Via RHSA-2016:1773 https://rhn.redhat.com/errata/RHSA-2016-1773.html
Comment 88 errata-xmlrpc 2020-10-19 09:43:22 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:4274 https://access.redhat.com/errata/RHSA-2020:4274
Note You need to log in before you can comment on or make changes to this bug.