SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Commons Components Vendors:   Apache Software Foundation
Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
SecurityTracker Alert ID:  1034097
SecurityTracker URL:  http://securitytracker.com/id/1034097
CVE Reference:   CVE-2015-7501   (Links to External Site)
Updated:  Nov 16 2015
Original Entry Date:  Nov 9 2015
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in Apache Commons Components. A remote user can execute arbitrary code on the target system.

A remote user can send specially crafted data to an application or application server that uses or includes the Java 'InvokerTransformer.class' to deserialize data to execute arbitrary code on the target system.

Applications that deserialize untrusted Java objects may be affected.

Applications that use other libraries (e.g., Groovy, Spring) may also be affected.

Application servers (e.g., WebLogic, WebSphere, JBoss) may be affected.

Steve Breen of Foxglove reported details of this vulnerability.

The advisory is available at:

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#commons

Christopher Frohoff and Gabriel Lawrence originally reported this vulnerability [at AppSecCali 2015 in January 2015].

The original advisory is available at:

http://www.slideshare.net/frohoff1/appseccali-2015-marshalling-pickles

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a proposed fix, available at:

http://svn.apache.org/viewvc?view=revision&revision=1713307

The vendor's advisory is available at:

https://issues.apache.org/jira/browse/COLLECTIONS-580

Vendor URL:  commons.apache.org/ (Links to External Site)
Cause:   Access control error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 12 2015 (Oracle Issues Advisory for Oracle WebLogic) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued an advisory for Oracle WebLogic server.
Nov 16 2015 (IBM Issues Fix for IBM WebSphere Application Server) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM WebSphere Application Server.
Nov 24 2015 (Red Hat Issues Fix for JBoss) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for JBoss for Red Hat Enterprise Linux 5, 6, and 7.
Nov 30 2015 (Red Hat Issues Fix) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for Red Hat Enterprise Linux 7.
Nov 30 2015 (Red Hat Issues Fix) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for rh-java-common-apache-commons-collections for Red Hat Enterprise Linux 6, 6.6, 6.7, 7, and 7.1.
Dec 1 2015 (Red Hat Issues Fix for JBoss Data Virtualization) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for JBoss Data Virtualization 6.0.0, 6.1.0, and 6.2.0.
Dec 3 2015 (Red Hat Issues Fix for JBoss EAP) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for JBoss EAP.
Dec 3 2015 (IBM Issues Fix for IBM Tivoli Composite Application Manager) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM Tivoli Composite Application Manager 7.2.
Dec 3 2015 (IBM Issues Fix for IBM WebSphere Application Server Community Edition) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM WebSphere Application Server Community Edition.
Dec 3 2015 (IBM Issues Fix for IBM Cognos Metrics Manager) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM Cognos Metrics Manager.
Dec 4 2015 (IBM Issues Fix for IBM SPSS Collaboration and Deployment Services) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM SPSS Collaboration and Deployment Services.
Dec 4 2015 (IBM Issues Fix for IBM InfoSphere Information Server) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM InfoSphere Information Server.
Dec 9 2015 (IBM Issues Fix for IBM Tivoli Composite Application Manager Agent for Application Diagnostics) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM Tivoli Composite Application Manager Agent for Application Diagnostics.
Dec 9 2015 (IBM Issues Fix for IBM SPSS Analytic Server) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM SPSS Analytic Server 2.0.
Dec 9 2015 (IBM Issues Fix for IBM Tivoli Storage Manager Administration Center) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM Tivoli Storage Manager Administration Center.
Dec 11 2015 (Red Hat Issues Fix for JBoss BPM Suite) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for JBoss BPM Suite.
Dec 11 2015 (Red Hat Issues Fix for JBoss BRMS) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for JBoss BRMS.
Dec 17 2015 (AttachmateWRQ Issues Fix for Attachmate Verastream) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
AttachmateWRQ has issued a fix for Attachmate Verastream Host Integrator and Verastream Process Designer.
Dec 18 2015 (VMware Issues Fix for VMware vCenter Orchestrator) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
VMware has issued a fix for VMware vCenter Orchestrator.
Jan 4 2016 (IBM Issues Fix for IBM Cognos Controller) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM Cognos Controller.
Jan 8 2016 (McAfee Issues Fix for McAfee ePolicy Orchestrator) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
McAfee has issued a fix for McAfee ePolicy Orchestrator.
Jan 12 2016 (IBM Issues Fix for IBM Lotus Notes and Domino) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
IBM has issued a fix for IBM Lotus Notes and Domino 8.5 and 9.0.
Jan 14 2016 (Red Hat Issues Fix for JBoss Operations Network) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Red Hat has issued a fix for JBoss Operations Network for Red Hat Enterprise Linux.
Jan 29 2016 (HP Issues Fix for HP Operations Manager) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HP has issued a fix for HP Operations Manager.
Jan 30 2016 (VMware Issues Fix for VMware vCenter) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
VMware has issued a fix for VMware vCenter Orchestrator 5.x.
Mar 15 2016 (VMware Issues Fix for VMware vRealize Operations and VMware vRealize Infrastructure Navigator) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
VMware has issued a fix for VMware vRealize Operations and VMware vRealize Infrastructure Navigator.
Mar 18 2016 (HPE Issues Fix for HPE Operations Orchestration) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HPE has issued a fix for HPE Operations Orchestration 10.x.
Mar 21 2016 (HPE Issues Fix for HPE Service Manager) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HPE has issued a fix for HPE Service Manager.
Mar 30 2016 (HP Issues Fix for HPE Release Control) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HP has issued a fix for HPE Release Control.
Mar 31 2016 (HPE Issues Fix for HPE AssetManager) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HPE has issued a fix for HPE AssetManager.
Apr 19 2016 (HPE Issues Fix for HPE XP P9000 Command View Advanced Edition) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HPE has issued a fix for HPE XP P9000 Command View Advanced Edition.
Apr 19 2016 (Oracle Issues Fix for Oracle Enterprise Manager) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Enterprise Manager.
May 10 2016 (Adobe Issues Fix for Adobe ColdFusion) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Adobe has issued a fix for Adobe ColdFusion.
Jun 7 2016 (HP Issues Fix for HPE Discovery & Dependency Mapping Inventory (DDMI)) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HP has issued a fix for HPE Discovery & Dependency Mapping Inventory (DDMI).
Jun 7 2016 (HP Issues Fix for HPE Universal Configuration Management Database) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HP has issued a fix for HPE Universal Configuration Management Database.
Jul 12 2016 (HPE Issues Fix for HPE Intelligent Management Center) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HPE has issued a fix for HPE Intelligent Management Center.
Jul 19 2016 (Oracle Issues Fix for Oracle Primavera Products Suite) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Primavera Products Suite.
Jul 19 2016 (Oracle Issues Fix for Oracle Policy Automation) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Policy Automation.
Jul 19 2016 (Oracle Issues Fix for Oracle Utilities Applications) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Utilities Applications.
Jul 20 2016 (Oracle Issues Fix for Oracle Financial Services Applications) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Financial Services Applications.
Jul 20 2016 (Oracle Issues Fix for Oracle Health Sciences Applications) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Health Sciences Applications.
Jul 20 2016 (Oracle Issues Fix for Oracle Insurance Applications) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Insurance Applications.
Jul 20 2016 (Oracle Issues Fix for Oracle Retail Applications) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Retail Applications.
Jul 25 2016 (HP Issues Fix for HPE Operations Manager) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HP has issued a fix for HPE Operations Manager for Unix, Solaris, and Linux.
Sep 22 2016 (HPE Issues Fix for HPE Network Automation) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HPE has issued a fix for HPE Network Automation.
Oct 18 2016 (Oracle Issues Fix for Oracle Insurance Applications) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Insurance Applications.
Nov 8 2016 (HP Issues Fix for HPE OpenView Network Node Manager i) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HP has issued a fix for HPE OpenView Network Node Manager i.
Nov 9 2016 (HPE Issues Fix for HPE Business Service Management) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
HPE has issued a fix for HPE Business Service Management.
Apr 19 2017 (Oracle Issues Fix for Oracle Fusion Middleware) Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System
Oracle has issued a fix for Oracle Fusion Middleware.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC