Security Bulletin: Vulnerabilities in Apache Commons Collections and Apache Groovy affects IBM UrbanCode Build (CVE-2015-7450, CVE-2015-3253)

Summary

Apache Commons Collections and Apache Groovy vulnerabilities for handling Java object deserialization were addressed by IBM UrbanCode Build

Vulnerability Details

CVE-ID: CVE-2015-7450 **Description:**Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. **CVSS Base Score: **9.8 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918&gt; for the current score *CVSS Environmental Score:**Undefined **CVSS Vector: **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-ID: CVE-2015-3253 **Description:**Apache Groovy could allow a remote attacker to execute arbitrary code on the system, caused by the failure to isolate serialization code when using standard Java serialization mechanim to communicate between servers. An attacker could exploit this vulnerability to deserialize objects and execute arbitrary code on the system or cause a denial of service. **CVSS Base Score: **7.3 CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104819&gt; for the current score *CVSS Environmental Score:**Undefined **CVSS Vector: **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/C:L/I:L/A:L)

Affected Products and Versions

IBM UrbanCode Build 6.1.0, 6.1.0.1, 6.1.0.2, and 6.1.1 on all supported platforms.

Remediation/Fixes

Upgrade to IBM UrbanCode Build 6.1.1.1.

Workarounds and Mitigations

None