IBM7D633A7D31F7F6C981321C72372ACD7088EFC70FC50465A871D4F765F35294CCSecurity Bulletin: Multiple vulnerabilities of Apache common collections (commons-collections-3.2.jar) have affected APM WebSphere Application Server Agent
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%
Summary
APM WebSphere Application Server Agent is vulnerable to Apache common collections (commons-collections-3.2.jar). The fix includes commons-collections-3.2.jar upgraded to commons-collections-3.2.2.jar. [CVE-2015-4852, CVE-2017-15708 and CVE-2019-13116]
Vulnerability Details
CVEID:CVE-2015-4852
**DESCRIPTION:**Oracle WebLogic Server could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the WLS Security component due to the deserialization of data of unauthenticated Java objects in the Apache Commons Collections (ACC) library. By using a specially crafted serialiazed Java object in T3 protocol traffic to TCP port 7001, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260094 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2017-15708
**DESCRIPTION:**Apache Synapse could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Apache Commons Collections. By injecting specially-crafted serialized objects, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/136262 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-13116
**DESCRIPTION:**MuleSoft Mule runtime could allow a remote attacker to execute arbitrary code on the system, caused by Java deserialization, related to Apache Commons Collections. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/169704 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| APM Agents for Monitoring | all |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability now by upgrading:
Product Remediation
|
Fix
β|β
APM on-premise
|
APM WebSphere Application Server Agent release 8.1.4.0.20
WAS Agent version: 07.30.14.19
Download the APM Advanced Agents installer from Passport Advantage. Please refer below link for download instructions:
<https://www.ibm.com/docs/en/capmp/8.1.4?topic=advantage-part-numbers>
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm application performance management | eq | 8.1.4 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.969 High
EPSS
Percentile
99.7%