IBMECDAD91B40717D302E53EC250B57F9219834CC0086D59A26ACB8BC5B0D731D7ASecurity Bulletin: Vulnerability in Apache Commons affects WebSphere Message Broker and IBM Integration Bus (CVE-2015-7450)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Summary
An Apache Commons Collections vulnerability for handling Java object deserialization was addressed in the Global Cache component of WebSphere Message Broker and IBM Integration Bus
Vulnerability Details
CVEID: CVE-2015-7450**
DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Integration Bus V9 , V10
WebSphere Message Broker V8
Remediation/Fixes
Product
| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus
| V10.0.0.2 and higher
| IT12315 | An interim fix is available from IBM Fix Central.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12315
The APAR is targeted to be available in fix pack 10.0.0.4
IBM Integration Bus
| V10.0.0.1 and lower
| IT12306 | An interim fix is available from IBM Fix Central.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12306
IBM Integration Bus
| V9
| IT12306 | An interim fix is available from IBM Fix Central.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12306
The APAR is targeted to be available in fix pack 9.0.0.5
WebSphere Message Broker
| V8
| IT12306 | An interim fix is available from IBM Fix Central.
http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT12306
The APAR is targeted to be available in fix pack 8.0.0.7
For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
IBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.
The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?uid=swg27006308
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| websphere message broker | eq | 8.0 | |
| ibm integration bus | eq | 10.0 | |
| ibm integration bus | eq | 9.0 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C