CVE-2015-7501

Current Description

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Basic Data

PublishedNovember 09, 2017
Last ModifiedJuly 15, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-502
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score10.0
SeverityHIGH
Exploitability Score10.0
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionNONE
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactHIGH
CVSS 3 - Availability ImpactHIGH
CVSS 3 - Base Score9.8
CVSS 3 - Base SeverityCRITICAL
Exploitability Score3.9
Base SeverityCRITICAL

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatData Grid6.0.0*******
    2.3ApplicationRedhatJboss A-mq6.0.0*******
    2.3ApplicationRedhatJboss Bpm Suite6.0.0*******
    2.3ApplicationRedhatJboss Data Virtualization5.0.0*******
    2.3ApplicationRedhatJboss Data Virtualization6.0.0*******
    2.3ApplicationRedhatJboss Enterprise Application Platform4.3.0*******
    2.3ApplicationRedhatJboss Enterprise Application Platform5.0.0*******
    2.3ApplicationRedhatJboss Enterprise Application Platform6.0.0*******
    2.3ApplicationRedhatJboss Enterprise Brms Platform5.0.0*******
    2.3ApplicationRedhatJboss Enterprise Brms Platform6.0.0*******
    2.3ApplicationRedhatJboss Enterprise Soa Platform5.0.0*******
    2.3ApplicationRedhatJboss Enterprise Web Server3.0.0*******
    2.3ApplicationRedhatJboss Fuse6.0.0*******
    2.3ApplicationRedhatJboss Fuse Service Works6.0*******
    2.3ApplicationRedhatJboss Operations Network3.0*******
    2.3ApplicationRedhatJboss Portal6.0.0*******
    2.3ApplicationRedhatOpenshift3.0***enterprise***
    2.3ApplicationRedhatSubscription Asset Manager1.3.0*******
    2.3ApplicationRedhatXpaas3.0.0*******

Vulnerable Software List

VendorProductVersions
Redhat Jboss A-mq 6.0.0
Redhat Jboss Enterprise Application Platform 4.3.0, 5.0.0, 6.0.0
Redhat Jboss Fuse 6.0.0
Redhat Jboss Data Virtualization 5.0.0, 6.0.0
Redhat Jboss Enterprise Brms Platform 5.0.0, 6.0.0
Redhat Jboss Operations Network 3.0
Redhat Jboss Enterprise Soa Platform 5.0.0
Redhat Jboss Enterprise Web Server 3.0.0
Redhat Jboss Bpm Suite 6.0.0
Redhat Openshift 3.0
Redhat Jboss Fuse Service Works 6.0
Redhat Data Grid 6.0.0
Redhat Subscription Asset Manager 1.3.0
Redhat Xpaas 3.0.0
Redhat Jboss Portal 6.0.0

References

NameSourceURLTags
RHSA-2015:2500http://rhn.redhat.com/errata/RHSA-2015-2500.htmlREDHAT
RHSA-2015:2501http://rhn.redhat.com/errata/RHSA-2015-2501.htmlREDHAT
RHSA-2015:2502http://rhn.redhat.com/errata/RHSA-2015-2502.htmlREDHAT
RHSA-2015:2514http://rhn.redhat.com/errata/RHSA-2015-2514.htmlREDHAT
RHSA-2015:2516http://rhn.redhat.com/errata/RHSA-2015-2516.htmlREDHAT
RHSA-2015:2517http://rhn.redhat.com/errata/RHSA-2015-2517.htmlREDHAT
RHSA-2015:2521http://rhn.redhat.com/errata/RHSA-2015-2521.htmlREDHAT
RHSA-2015:2522http://rhn.redhat.com/errata/RHSA-2015-2522.htmlREDHAT
RHSA-2015:2524http://rhn.redhat.com/errata/RHSA-2015-2524.htmlREDHAT
RHSA-2015:2670http://rhn.redhat.com/errata/RHSA-2015-2670.htmlREDHAT
RHSA-2015:2671http://rhn.redhat.com/errata/RHSA-2015-2671.htmlREDHAT
RHSA-2016:0040http://rhn.redhat.com/errata/RHSA-2016-0040.htmlREDHAT
RHSA-2016:1773http://rhn.redhat.com/errata/RHSA-2016-1773.htmlREDHAT
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlCONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlCONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlCONFIRM
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlCONFIRM
78215http://www.securityfocus.com/bid/78215BIDThird Party Advisory VDB Entry
1034097http://www.securitytracker.com/id/1034097SECTRACKThird Party Advisory VDB Entry
1037052http://www.securitytracker.com/id/1037052SECTRACKThird Party Advisory VDB Entry
1037053http://www.securitytracker.com/id/1037053SECTRACKThird Party Advisory VDB Entry
1037640http://www.securitytracker.com/id/1037640SECTRACKThird Party Advisory VDB Entry
https://access.redhat.com/security/vulnerabilities/2059393https://access.redhat.com/security/vulnerabilities/2059393CONFIRMVendor Advisory
https://access.redhat.com/solutions/2045023https://access.redhat.com/solutions/2045023CONFIRMVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1279330https://bugzilla.redhat.com/show_bug.cgi?id=1279330CONFIRMIssue Tracking Third Party Advisory VDB Entry Vendor Advisory
RHSA-2015:2536https://rhn.redhat.com/errata/RHSA-2015-2536.htmlREDHAT
https://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlMISC