CVE-2015-7501: Deserialization of Untrusted Data
(updated )
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
References
- rhn.redhat.com/errata/RHSA-2016-1773.html
- access.redhat.com/security/vulnerabilities/2059393
- access.redhat.com/solutions/2045023
- arxiv.org/pdf/2306.05534.pdf
- bugzilla.redhat.com/show_bug.cgi?id=1279330
- commons.apache.org/proper/commons-collections/release_4_1.html
- foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
- github.com/advisories/GHSA-fjq5-5j5f-mvxh
- github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
- issues.apache.org/jira/browse/COLLECTIONS-580.
- nvd.nist.gov/vuln/detail/CVE-2015-7501
- sourceforge.net/p/collections/code/HEAD/tree/
Code Behaviors & Features
Detect and mitigate CVE-2015-7501 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →