| Descripción: | Summary:
The remote host is missing an update for the 'jakarta-commons-collections'
package(s) announced via the referenced advisory.
Vulnerability Insight:
The Jakarta/Apache Commons Collections library
provides new interfaces,
implementations, and utilities to extend the features of the Java
Collections Framework.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
With this update, deserialization of certain classes in the
commons-collections library is no longer allowed. Applications that require
those classes to be deserialized can use the system property
'org.apache.commons.collections.enableUnsafeSerialization' to re-enable
their deserialization.
Further information about this security flaw may be found at the linked references.
All users of jakarta-commons-collections are advised to upgrade to these
updated packages, which contain a backported patch to correct this issue.
All running applications using the commons-collections library must be
restarted for the update to take effect.
Affected Software/OS:
jakarta-commons-collections on Red Hat Enterprise Linux (v. 5 server)
Solution:
Please Install the Updated Packages.
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
