Lucene search

K
ibmIBME9094C448DDFA53F1801F49370E9B1301873155775CFD8E4A6A53500E27FBB43
HistoryJun 16, 2018 - 7:52 p.m.

Security Bulletin: Vulnerability in Apache Commons Collections affects IBM Forms Server (CVE-2015-7450)

2018-06-1619:52:47
www.ibm.com
2

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Summary

An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Forms Server.

Vulnerability Details

CVEID: CVE-2015-7450

DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.

CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Forms Server 4.0.*
IBM Forms Server 8.0.*
IBM Forms Server 8.1
IBM Forms Server 8.2

Remediation/Fixes

Product

| VRMF|APAR|Remediation
—|—|—|—
IBM Forms Server| 4.0.0.*| LO87133 |

Download and install 4.0.0.2-FormsServer-WFS-IF0002

IBM Forms Server| 8.0.0.*| LO87133|

Download and install 8.0.0-FormsServer-WFS-IF0002

IBM Forms Server| 8.0.1.| LO87133
IBM Forms Server| 8.1.
| LO87133|

Download and install 8.1.0-FormsServer-WFS-IF0002

IBM Forms Server| 8.2.*| LO87133|

Download and install 8.2.0-FormsServer-WFS-IF0001

Note: Before installing this update, you must first install the WebSphere Application Server fix for APAR PI50993. Installing this update without the fix for WAS will cause IBM Forms Server to fail.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Related for E9094C448DDFA53F1801F49370E9B1301873155775CFD8E4A6A53500E27FBB43