 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Mon, 30 Nov 2015 19:23:36 +0000 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
Synopsis: Important: apache-commons-collections security update
Advisory ID: SLSA-2015:2522-1
Issue Date: 2015-11-30
CVE Numbers: CVE-2015-7501
--
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the commons-
collections library. (CVE-2015-7501)
With this update, deserialization of certain classes in the commons-
collections library is no longer allowed. Applications that require those
classes to be deserialized can use the system property
"org.apache.commons.collections.enableUnsafeSerialization" to re-enable
their deserialization.
In the interim, the quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransformer) in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications.
All running applications using the commons-collections library must be
restarted for the update to take effect.
--
SL7
noarch
apache-commons-collections-3.2.1-22.el7_2.noarch.rpm
apache-commons-collections-javadoc-3.2.1-22.el7_2.noarch.rpm
apache-commons-collections-testframework-3.2.1-22.el7_2.noarch.rpm
apache-commons-collections-testframework-javadoc-3.2.1-22.el7_2.noarch.rpm
- Scientific Linux Development Team
|
|
|
