jakarta-commons-collections (SL6)

Synopsis: Important: jakarta-commons-collections security update
Advisory ID: SLSA-2015:2521-1
Issue Date: 2015-11-30
CVE Numbers: CVE-2015-7501

It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the commons-
collections library. (CVE-2015-7501)

With this update, deserialization of certain classes in the commons-
collections library is no longer allowed. Applications that require those
classes to be deserialized can use the system property
“org.apache.commons.collections.enableUnsafeSerialization” to re-enable
their deserialization.

In the interim, the quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransformer) in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications.

All running applications using the commons-collections library must be
restarted for the update to take effect.


– Scientific Linux Development Team