Lucene search

K
centosCentOS ProjectCESA-2015:2522
HistoryDec 01, 2015 - 10:25 p.m.

apache security update

2015-12-0122:25:12
CentOS Project
lists.centos.org
57

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.018

Percentile

88.4%

CentOS Errata and Security Advisory CESA-2015:2522

The Apache Commons Collections library provides new interfaces,
implementations, and utilities to extend the features of the Java
Collections Framework.

It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)

With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that require
those classes to be deserialized can use the system property
“org.apache.commons.collections.enableUnsafeSerialization” to re-enable
their deserialization.

Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023

All users of apache-commons-collections are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
All running applications using the commons-collections library must be
restarted for the update to take effect.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2015-December/028995.html

Affected packages:
apache-commons-collections
apache-commons-collections-javadoc
apache-commons-collections-testframework
apache-commons-collections-testframework-javadoc

Upstream details at:
https://access.redhat.com/errata/RHSA-2015:2522

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.018

Percentile

88.4%