CVE-2015-7501

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

References

http://rhn.redhat.com/errata/RHSA-2015-2500.html

http://rhn.redhat.com/errata/RHSA-2015-2501.html

http://rhn.redhat.com/errata/RHSA-2015-2502.html

http://rhn.redhat.com/errata/RHSA-2015-2514.html

http://rhn.redhat.com/errata/RHSA-2015-2516.html

http://rhn.redhat.com/errata/RHSA-2015-2517.html

http://rhn.redhat.com/errata/RHSA-2015-2521.html

http://rhn.redhat.com/errata/RHSA-2015-2522.html

http://rhn.redhat.com/errata/RHSA-2015-2524.html

http://rhn.redhat.com/errata/RHSA-2015-2670.html

http://rhn.redhat.com/errata/RHSA-2015-2671.html

http://rhn.redhat.com/errata/RHSA-2016-0040.html

http://rhn.redhat.com/errata/RHSA-2016-1773.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

http://www.securityfocus.com/bid/78215

http://www.securitytracker.com/id/1034097

http://www.securitytracker.com/id/1037052

http://www.securitytracker.com/id/1037053

http://www.securitytracker.com/id/1037640

https://access.redhat.com/security/vulnerabilities/2059393

https://access.redhat.com/solutions/2045023

https://bugzilla.redhat.com/show_bug.cgi?id=1279330

https://rhn.redhat.com/errata/RHSA-2015-2536.html

https://www.oracle.com/security-alerts/cpujul2020.html

Details

Source: MITRE

Published: 2017-11-09

Updated: 2020-07-15

Type: CWE-502

Risk Information

CVSS v2

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (32 total)

IDNameProductFamilySeverity
136998Oracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)NessusWindows
critical
119939Oracle Business Intelligence Publisher Multiple Vulnerabilities (April 2018 CPU)NessusMisc.
critical
119378RHEL 6 : Red Hat OpenShift Enterprise 2.2.10 (RHSA-2016:1773)NessusRed Hat Local Security Checks
critical
108520Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)NessusJunos Local Security Checks
critical
106349Oracle iPlanet Web Server 7.0.x < 7.0.27 NSS Unspecified Vulnerability (January 2018 CPU)NessusWeb Servers
critical
106299Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2018 CPU)NessusWeb Servers
critical
106140Oracle Identity Manager Multiple Vulnerabilities (January 2018 CPU)NessusMisc.
critical
96769MySQL Enterprise Monitor 3.2.x < 3.2.2.1075 Multiple Vulnerabilities (January 2017 CPU)NessusCGI abuses
critical
96768MySQL Enterprise Monitor 3.1.x < 3.1.6.7959 Java Object Deserialization RCE (January 2017 CPU)NessusCGI abuses
critical
94290Oracle WebLogic Server Multiple Vulnerabilities (October 2016 CPU)NessusMisc.
critical
90859Oracle Application Testing Suite Java Object Deserialization RCE (April 2016 CPU)NessusMisc.
critical
87837RHEL 7 : JBoss EAP (RHSA-2015:2540)NessusRed Hat Local Security Checks
critical
87587Scientific Linux Security Update : jakarta-commons-collections on SL5.x i386/x86_64 (20151221)NessusScientific Linux Local Security Checks
critical
87547Oracle Linux 5 : jakarta-commons-collections (ELSA-2015-2671)NessusOracle Linux Local Security Checks
critical
87540CentOS 5 : jakarta-commons-collections (CESA-2015:2671)NessusCentOS Local Security Checks
critical
87519RHEL 5 : jakarta-commons-collections (RHSA-2015:2671)NessusRed Hat Local Security Checks
critical
87344Amazon Linux AMI : apache-commons-collections (ALAS-2015-618)NessusAmazon Linux Local Security Checks
critical
87312JBoss Java Object Deserialization RCENessusWeb Servers
critical
87194RHEL 6 : JBoss EAP (RHSA-2015:2542)NessusRed Hat Local Security Checks
critical
87193RHEL 6 : JBoss EAP (RHSA-2015:2539)NessusRed Hat Local Security Checks
critical
87192RHEL 5 : JBoss EAP (RHSA-2015:2538)NessusRed Hat Local Security Checks
critical
87191RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2015:2536)NessusRed Hat Local Security Checks
critical
87190RHEL 5 / 6 : JBoss EAP (RHSA-2015:2535)NessusRed Hat Local Security Checks
critical
87179RHEL 7 : apache-commons-collections (RHSA-2015:2522)NessusRed Hat Local Security Checks
critical
87174CentOS 6 : jakarta-commons-collections (CESA-2015:2521)NessusCentOS Local Security Checks
critical
87161CentOS 7 : apache-commons-collections (CESA-2015:2522)NessusCentOS Local Security Checks
critical
87121Scientific Linux Security Update : jakarta-commons-collections on SL6.x (noarch) (20151130)NessusScientific Linux Local Security Checks
critical
87120Scientific Linux Security Update : apache-commons-collections on SL7.x (noarch) (20151130)NessusScientific Linux Local Security Checks
critical
87119Oracle Linux 7 : apache-commons-collections (ELSA-2015-2522)NessusOracle Linux Local Security Checks
critical
87118Oracle Linux 6 : jakarta-commons-collections (ELSA-2015-2521)NessusOracle Linux Local Security Checks
critical
87102RHEL 6 : jakarta-commons-collections (RHSA-2015:2521)NessusRed Hat Local Security Checks
critical
87044RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2015:2500)NessusRed Hat Local Security Checks
critical