Content-Type: |
text/plain; charset="utf-8" |
Date: |
Mon, 30 Nov 2015 19:23:36 +0000 |
Reply-To: |
|
Subject: |
|
MIME-Version: |
1.0 |
Message-ID: |
|
Content-Transfer-Encoding: |
7bit |
Sender: |
|
From: |
|
Parts/Attachments: |
|
|
Synopsis: Important: apache-commons-collections security update
Advisory ID: SLSA-2015:2522-1
Issue Date: 2015-11-30
CVE Numbers: CVE-2015-7501
--
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the commons-
collections library. (CVE-2015-7501)
With this update, deserialization of certain classes in the commons-
collections library is no longer allowed. Applications that require those
classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.
In the interim, the quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransformer) in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications.
All running applications using the commons-collections library must be
restarted for the update to take effect.
--
SL7
noarch
apache-commons-collections-3.2.1-22.el7_2.noarch.rpm
apache-commons-collections-javadoc-3.2.1-22.el7_2.noarch.rpm
apache-commons-collections-testframework-3.2.1-22.el7_2.noarch.rpm
apache-commons-collections-testframework-javadoc-3.2.1-22.el7_2.noarch.rpm
- Scientific Linux Development Team
|
|
|