Lucene search

K
redhatRedHatRHSA-2015:2523
HistoryNov 30, 2015 - 12:00 a.m.

(RHSA-2015:2523) Important: rh-java-common-apache-commons-collections security update

2015-11-3000:00:00
access.redhat.com
27

EPSS

0.018

Percentile

88.4%

The Apache Commons Collections library provides new interfaces,
implementations, and utilities to extend the features of the Java
Collections Framework.

It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)

With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that require
those classes to be deserialized can use the system property
“org.apache.commons.collections.enableUnsafeSerialization” to re-enable
their deserialization.

Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023

All users of rh-java-common-apache-commons-collections are advised to
upgrade to these updated packages, which contain a backported patch to
correct this issue. All running applications using the commons-collections
library must be restarted for the update to take effect.