Lucene search

K
ibmIBMC03FA5EBB009D6B1F8AADC24B78B9ABD8ADACBA78E030EBADE0D37E5B4B8531B
HistoryJun 18, 2018 - 12:28 a.m.

Security Bulletin: Apache Commons Collection Java Deserialization Vulnerability in Multiple N series Products

2018-06-1800:28:37
www.ibm.com
6

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Summary

Multiple N series products incorporate the Apache Commons Collection library. Versions of Apache Commons Collection before 3.2.2 and including 4.0 are susceptible to a vulnerability that could be exploited to allow remote attackers to execute arbitrary commands on the system. Multiple N series products has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2015-7450
DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

N series Snap Creator Framework: 3.6.0, 4.1.0, 4.1.2, 4.3;
SnapManager for Oracle: 3.2, 3.3, 3.3.1, 3.4;
SnapManager for SAP: 3.2, 3.3, 3.3.1;
Virtual Storage Console for VMware vSphere: 6.0, 6.1, 6.2;

Remediation/Fixes

For N series Snap Creator Framework: the fix exists from microcode version 4.3P1;
For SnapManager for Oracle: the fix exists from microcode version 3.4P2;
For SnapManager for SAP: the fix exists from microcode version 3.4P2;
For Virtual Storage Console for VMware vSphere: the fix exists from microcode version: 6.2.1;
Please contact IBM support or go to this link to download a supported release.

Workarounds and Mitigations

None.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C