[RHSA-2015:2548-01] Critical: Red Hat JBoss Web Server 3.0.1 commons-collections security update

bugzilla at redhat.com bugzilla at redhat.com
Fri Dec 4 17:16:41 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat JBoss Web Server 3.0.1 commons-collections security update
Advisory ID:       RHSA-2015:2548-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-2548.html
Issue date:        2015-12-04
CVE Names:         CVE-2015-7501 
=====================================================================

1. Summary:

An update for Red Hat JBoss Web Server 3.0.1 that fixes one security issue
in the Apache commons-collections library is now available.

Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. The Apache Commons
Collections library provides new interfaces, implementations, and
utilities to extend the features of the Java Collections Framework.

It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)

Further information about the commons-collections flaw may be found at:
https://access.redhat.com/solutions/2045023

All users of Red Hat JBoss Web Server 3.0.1 are advised to apply this
update. The Red Hat JBoss Web Server process must be restarted for the
update to take effect.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied, and back up your existing Red
Hat JBoss Web Server installation (including all applications and
configuration files).

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation

5. References:

https://access.redhat.com/security/cve/CVE-2015-7501
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=webserver&version=3.0.1
https://access.redhat.com/solutions/2045023

6. Contact:

The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWYcp4XlSAg2UNWIIRAhaYAJ4j8HXP3iVatPUQbDCWSbz4IwfGBQCaArjy
m1nM39Q7LszNvSm04SZ9Hlo=
=6+gW
-----END PGP SIGNATURE-----




More information about the Jboss-watch-list mailing list