Lucene search

K
ibmIBM7D633A7D31F7F6C981321C72372ACD7088EFC70FC50465A871D4F765F35294CC
HistoryJul 17, 2023 - 6:26 a.m.

Security Bulletin: Multiple vulnerabilities of Apache common collections (commons-collections-3.2.jar) have affected APM WebSphere Application Server Agent

2023-07-1706:26:40
www.ibm.com
18
apm websphere agent
apache commons collections
cve-2015-4852
cve-2017-15708
cve-2019-13116
ibm
java deserialization

0.969 High

EPSS

Percentile

99.7%

Summary

APM WebSphere Application Server Agent is vulnerable to Apache common collections (commons-collections-3.2.jar). The fix includes commons-collections-3.2.jar upgraded to commons-collections-3.2.2.jar. [CVE-2015-4852, CVE-2017-15708 and CVE-2019-13116]

Vulnerability Details

CVEID:CVE-2015-4852
**DESCRIPTION:**Oracle WebLogic Server could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the WLS Security component due to the deserialization of data of unauthenticated Java objects in the Apache Commons Collections (ACC) library. By using a specially crafted serialiazed Java object in T3 protocol traffic to TCP port 7001, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260094 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2017-15708
**DESCRIPTION:**Apache Synapse could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Apache Commons Collections. By injecting specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/136262 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-13116
**DESCRIPTION:**MuleSoft Mule runtime could allow a remote attacker to execute arbitrary code on the system, caused by Java deserialization, related to Apache Commons Collections. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169704 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
APM Agents for Monitoring all

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading:

Product Remediation

|

Fix

—|—

APM on-premise

|

APM WebSphere Application Server Agent release 8.1.4.0.20

WAS Agent version: 07.30.14.19

Download the APM Advanced Agents installer from Passport Advantage. Please refer below link for download instructions:

<https://www.ibm.com/docs/en/capmp/8.1.4?topic=advantage-part-numbers&gt;

Workarounds and Mitigations

None