CVE-2015-6420HIGH
Description
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
References
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.securityfocus.com/bid/78872
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722
https://lists.apache.org/thread.html/[email protected]%3Ccommits.samza.apache.org%3E
https://www.kb.cert.org/vuls/id/581311
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:* versions up to 3.2.1 (inclusive)
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 99935 | Cisco Security Manager Java Object Deserialization RCE (CSCux34671) | Nessus | Misc. | high |
| 99934 | Cisco Prime LAN Management Solution Java Object Deserialization RCE (CSCux34647) | Nessus | Misc. | high |
| 93939 | Cisco Unified Communications Manager Java Object Deserialization RCE (CSCux34835) | Nessus | CISCO | high |