Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Recent assessments:
securitony at February 29, 2020 8:41pm UTC reported:
Several Red Hat JBoss products (JBoss Middleware Suite) widely used in enterprise environments were found to be vulnerable to a Java object serialization flaw. Exploit code is publicly available and PoC exploits are easy to develop, which allow attackers to execute arbitrary code on the affected servers with the permissions of the JBoss application.
The vulnerability resides in Apache Commons Collections library which allows deserialization of untrusted user input in JBoss and many other software products (for more information: <https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>),
J3rryBl4nks at March 10, 2020 2:48pm UTC reported:
Several Red Hat JBoss products (JBoss Middleware Suite) widely used in enterprise environments were found to be vulnerable to a Java object serialization flaw. Exploit code is publicly available and PoC exploits are easy to develop, which allow attackers to execute arbitrary code on the affected servers with the permissions of the JBoss application.
The vulnerability resides in Apache Commons Collections library which allows deserialization of untrusted user input in JBoss and many other software products (for more information: <https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/>),
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
rhn.redhat.com/errata/RHSA-2015-2500.html
rhn.redhat.com/errata/RHSA-2015-2501.html
rhn.redhat.com/errata/RHSA-2015-2502.html
rhn.redhat.com/errata/RHSA-2015-2514.html
rhn.redhat.com/errata/RHSA-2015-2516.html
rhn.redhat.com/errata/RHSA-2015-2517.html
rhn.redhat.com/errata/RHSA-2015-2521.html
rhn.redhat.com/errata/RHSA-2015-2522.html
rhn.redhat.com/errata/RHSA-2015-2524.html
rhn.redhat.com/errata/RHSA-2015-2670.html
rhn.redhat.com/errata/RHSA-2015-2671.html
rhn.redhat.com/errata/RHSA-2016-0040.html
rhn.redhat.com/errata/RHSA-2016-1773.html
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
www.securityfocus.com/bid/78215
www.securitytracker.com/id/1034097
www.securitytracker.com/id/1037052
www.securitytracker.com/id/1037053
www.securitytracker.com/id/1037640
access.redhat.com/security/vulnerabilities/2059393
access.redhat.com/solutions/2045023
bugzilla.redhat.com/show_bug.cgi?id=1279330
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
rhn.redhat.com/errata/RHSA-2015-2536.html
www.oracle.com/security-alerts/cpujul2020.html