CVE-2015-7501 : Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG)

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Published 2017-11-09 17:29:00

Updated 2024-02-16 13:15:08

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2015-7501

Redhat » Jboss Enterprise Application Platform » Version: 5.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 4.3.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:4.3.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 6.0.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Soa Platform » Version: 5.0.0
cpe:2.3:a:redhat:jboss_enterprise_soa_platform:5.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Operations Network » Version: 3.0
cpe:2.3:a:redhat:jboss_operations_network:3.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Brms Platform » Version: 5.0.0
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:5.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Brms Platform » Version: 6.0.0
cpe:2.3:a:redhat:jboss_enterprise_brms_platform:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift » Version: 3.0 Enterprise Edition
cpe:2.3:a:redhat:openshift:3.0:*:*:*:enterprise:*:*:*
Matching versions
Redhat » Subscription Asset Manager » Version: 1.3.0
cpe:2.3:a:redhat:subscription_asset_manager:1.3.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Web Server » Version: 3.0.0
cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Fuse » Version: 6.0.0
cpe:2.3:a:redhat:jboss_fuse:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss A-mq » Version: 6.0.0
cpe:2.3:a:redhat:jboss_a-mq:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Bpm Suite » Version: 6.0.0
cpe:2.3:a:redhat:jboss_bpm_suite:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Fuse Service Works » Version: 6.0
cpe:2.3:a:redhat:jboss_fuse_service_works:6.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Data Virtualization » Version: 6.0.0
cpe:2.3:a:redhat:jboss_data_virtualization:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Data Virtualization » Version: 5.0.0
cpe:2.3:a:redhat:jboss_data_virtualization:5.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Portal » Version: 6.0.0
cpe:2.3:a:redhat:jboss_portal:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Data Grid » Version: 6.0.0
cpe:2.3:a:redhat:data_grid:6.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Xpaas » Version: 3.0.0
cpe:2.3:a:redhat:xpaas:3.0.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2015-7501

EPSS FAQ

73.32%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2015-7501

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2015-7501

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2015-7501

https://rhn.redhat.com/errata/RHSA-2015-2536.html

RHSA-2015:2536 - Security Advisory - Red Hat Customer Portal
http://rhn.redhat.com/errata/RHSA-2015-2521.html

RHSA-2015:2521 - Security Advisory - Red Hat Customer Portal
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

CPU Oct 2018

CVEs referencing this url
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Oracle Critical Patch Update - April 2018

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujul2020.html

Oracle Critical Patch Update Advisory - July 2020

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-2524.html

RHSA-2015:2524 - Security Advisory - Red Hat Customer Portal
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Oracle Critical Patch Update - January 2018

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-2516.html

RHSA-2015:2516 - Security Advisory - Red Hat Customer Portal
http://rhn.redhat.com/errata/RHSA-2015-2500.html

RHSA-2015:2500 - Security Advisory - Red Hat Customer Portal
http://rhn.redhat.com/errata/RHSA-2016-1773.html

RHSA-2016:1773 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://www.securitytracker.com/id/1037053

Oracle VM VirtualBox Multiple Flaws Let Remote and Local Users Access and Modify Data and Let Local Users Deny Service and Gain Elevated Privileges - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=1279330

1279330 – (CVE-2015-7501) CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
Issue Tracking;Third Party Advisory;VDB Entry;Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-2501.html

RHSA-2015:2501 - Security Advisory - Red Hat Customer Portal
http://www.securitytracker.com/id/1037052

Oracle WebLogic Server Bugs Let Remote Users Deny Service and Gain Elevated Privileges and Let Local Users Access and Modify Data on the Target System - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-2502.html

RHSA-2015:2502 - Security Advisory - Red Hat Customer Portal
http://www.securitytracker.com/id/1037640

MySQL Multiple Flaws Let Remote Authenticated and Local Users Access Data, Deny Service, and Gain Elevated Privileges - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-2671.html

RHSA-2015:2671 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/security/vulnerabilities/2059393

Apache commons-collections: Remote code execution during deserialisation (CVE 2015-7501) - Red Hat Customer Portal
Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2015-2517.html

RHSA-2015:2517 - Security Advisory - Red Hat Customer Portal
https://access.redhat.com/solutions/2045023

Do the unserialization/deserialization exploits against the commons-collections library affect Red Hat JBoss products? (CVE-2015-7501 ) - Red Hat Customer Portal
Vendor Advisory
http://www.securitytracker.com/id/1034097

Apache Commons Components Deserialization in InvokerTransformer Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker
Third Party Advisory;VDB Entry
http://rhn.redhat.com/errata/RHSA-2015-2514.html

RHSA-2015:2514 - Security Advisory - Red Hat Customer Portal
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

CPU July 2018

CVEs referencing this url
http://rhn.redhat.com/errata/RHSA-2015-2670.html

RHSA-2015:2670 - Security Advisory - Red Hat Customer Portal
http://rhn.redhat.com/errata/RHSA-2016-0040.html

RHSA-2016:0040 - Security Advisory - Red Hat Customer Portal
https://security.netapp.com/advisory/ntap-20240216-0010/

CVE-2015-7501 Redhat JBoss Vulnerability in NetApp Products | NetApp Product Security
http://www.securityfocus.com/bid/78215

Multiple RedHat JBoss Products CVE-2015-7501 Remote Code Execution Vulnerability
Third Party Advisory;VDB Entry
http://rhn.redhat.com/errata/RHSA-2015-2522.html

RHSA-2015:2522 - Security Advisory - Red Hat Customer Portal

Jump to

Vulnerability Details : CVE-2015-7501

Products affected by CVE-2015-7501

Exploit prediction scoring system (EPSS) score for CVE-2015-7501

CVSS scores for CVE-2015-7501

CWE ids for CVE-2015-7501

References for CVE-2015-7501