Synopsis: Important: jakarta-commons-collections security update
Advisory ID: SLSA-2015:2671-1
Issue Date: 2015-12-21
CVE Numbers: CVE-2015-7501
—
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the commons-
collections library. (CVE-2015-7501)
With this update, deserialization of certain classes in the commons-
collections library is no longer allowed. Applications that require those
classes to be deserialized can use the system property
“org.apache.commons.collections.enableUnsafeSerialization” to re-enable
their deserialization.
In the interim, the quickest way to resolve this specific deserialization vulnerability is to remove the vulnerable class files (InvokerTransformer, InstantiateFactory, and InstantiateTransformer) in all commons-collections jar files. Any manual changes should be tested to avoid unforseen complications.
All running applications using the commons-collections library must be
restarted for the update to take effect.
—
SL5
x86_64
jakarta-commons-collections-debuginfo-3.2-2jpp.4.x86_64.rpm
jakarta-commons-collections-tomcat5-3.2-2jpp.4.x86_64.rpm
jakarta-commons-collections-3.2-2jpp.4.x86_64.rpm
jakarta-commons-collections-javadoc-3.2-2jpp.4.x86_64.rpm
jakarta-commons-collections-testframework-3.2-2jpp.4.x86_64.rpm
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.x86_64.rpm
i386
jakarta-commons-collections-debuginfo-3.2-2jpp.4.i386.rpm
jakarta-commons-collections-tomcat5-3.2-2jpp.4.i386.rpm
jakarta-commons-collections-3.2-2jpp.4.i386.rpm
jakarta-commons-collections-javadoc-3.2-2jpp.4.i386.rpm
jakarta-commons-collections-testframework-3.2-2jpp.4.i386.rpm
jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4.i386.rpm
– Scientific Linux Development Team
