The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability note CVE-2015-4852 CVE-2015-6420 CVE-2015-6934

Apache Commons Collections: code execution via InvokerTransformer

Synthesis of the vulnerability

An attacker can send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Severity of this weakness: 3/4.
Number of vulnerabilities in this bulletin: 12.
Creation date: 12/11/2015.
Références of this bulletin: 1119363, 1610582, 1970575, 1971370, 1971531, 1971533, 1971751, 1972261, 1972373, 1972565, 1972794, 1972839, 2011281, 7014463, 7022958, 9010052, BSA-2016-004, bulletinjul2016, c04953244, c05050545, c05206507, c05325823, c05327447, CERTFR-2015-AVI-484, CERTFR-2015-AVI-555, cisco-sa-20151209-java-deserialization, COLLECTIONS-580, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CVE-2015-4852, CVE-2015-6420, CVE-2015-6934, CVE-2015-7420-ERROR, CVE-2015-7450, CVE-2015-7501, CVE-2015-8545, CVE-2015-8765, CVE-2016-1985, CVE-2016-1997, CVE-2016-4373, CVE-2016-4398, DSA-3403-1, HPSBGN03542, HPSBGN03560, HPSBGN03630, HPSBGN03656, HPSBGN03670, JSA10838, NTAP-20151123-0001, RHSA-2015:2500-01, RHSA-2015:2501-01, RHSA-2015:2502-01, RHSA-2015:2516-01, RHSA-2015:2517-01, RHSA-2015:2521-01, RHSA-2015:2522-01, RHSA-2015:2523-01, RHSA-2015:2524-01, RHSA-2015:2534-01, RHSA-2015:2535-01, RHSA-2015:2536-01, RHSA-2015:2537-01, RHSA-2015:2538-01, RHSA-2015:2539-01, RHSA-2015:2540-01, RHSA-2015:2541-01, RHSA-2015:2542-01, RHSA-2015:2547-01, RHSA-2015:2548-01, RHSA-2015:2556-01, RHSA-2015:2557-01, RHSA-2015:2559-01, RHSA-2015:2560-01, RHSA-2015:2578-01, RHSA-2015:2579-01, RHSA-2015:2670-01, RHSA-2015:2671-01, RHSA-2016:0040-01, RHSA-2016:0118-01, SA110, SB10144, SOL30518307, VIGILANCE-VUL-18294, VMSA-2015-0009, VMSA-2015-0009.1, VMSA-2015-0009.2, VMSA-2015-0009.3, VMSA-2015-0009.4, VU#576313.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Apache Commons Collections library is used by several Java applications.

A Java Gadgets ("gadget chains") object can contain Transformers, with an "exec" string containing a shell command which is run with the Java.lang.Runtime.exec() method. When raw data are unserialized, the readObject() method is thus called to rebuild the Gadgets object, and it uses InvokerTransformer, which runs the indicated shell command.

It can be noted that other classes (CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure) also execute a shell command from raw data to deserialize.

However, several applications publicly expose (before authentication) the Java unserialization feature.

An attacker can therefore send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability announce impacts software or systems such as CAS Server, Blue Coat CAS, SGOS by Blue Coat, Brocade Network Advisor, Brocade vTM, ASA, AsyncOS, Cisco ESA, Cisco Prime Access Registrar, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco MeetingPlace, Unity Cisco, Debian, BIG-IP Hardware, TMOS, HPE BSM, HPE NNMi, HP Operations, DB2 UDB, Domino, Notes, IRAD, Rational ClearCase, QRadar SIEM, SPSS Modeler, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, JBoss AS OpenSource, Junos Space, ePO, Mule ESB, Snap Creator Framework, SnapManager, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Unix (platform) ~ not comprehensive, vCenter Server.

Our Vigil@nce team determined that the severity of this cybersecurity bulletin is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 12 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this threat alert.

Solutions for this threat

Apache Commons Collections: version 4.1.
The version 4.1 is fixed:
  http://commons.apache.org/proper/commons-collections/download_collections.cgi

Apache Commons Collections: version 3.2.2.
The version 3.2.2 is fixed:
  http://commons.apache.org/proper/commons-collections/download_collections.cgi
Unserialization is disabled by default in version 3.2.2, which may impact the way some applications work. If the unserialization is a required feature, it is recommended to modify the application according to VIGILANCE-SOL-43567.

Apache Commons Collections: patch for InvokerTransformer.
A patch is indicated in information sources.
This patch only fix the InvokerTransformer class. To fix other classes, use VIGILANCE-SOL-43555.

Apache Commons Collections: filtering unserialization.
If the Java application needs to unserialize untrusted data, then developers have to implement a filtering mechanism (ObjectInputStream + resolveClass + whitelist) :
  http://www.ibm.com/developerworks/library/se-lookahead/
If is also recommended to follow:
  https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407

Apereo CAS: solution for Java Deserialization.
The solution is indicated in information sources.

Brocade: solution for multiple vulnerabilities (04/04/2016).
The following versions fix several vulnerabilities (but not CVE-2016-0705):
  Brocade Network Advisor : install version 12.4.2 or 14.0.1.
  Brocade vTM : install version 9.9r1 or 10.3r1.
The detailled solution is indicated in information sources.

Cisco: solution for Java Deserialization.
The solution is indicated in information sources.

Debian: new libcommons-collections3-java packages.
New packages are available:
  Debian 7: libcommons-collections3-java 3.2.1-5+deb7u1
  Debian 8: libcommons-collections3-java 3.2.1-7+deb8u1

F5 BIG-IP: fixed versions for commons-collections.
Fixed versions are indicated in information sources.

HPE Business Service Management: version 9.26IP1.
The version 9.26IP1 is fixed:
  https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/KM02555035

HPE Network Node Manager i: fixed versions.
Fixed versions are indicated in information sources.

HPE Operations: patch for InvokerTransformer.
A patch is available:
  https://softwaresupport.hp.com/group/softwaresupport/search-result/-/facetsearch/document/KM02058067

HP Operations Manager: version 9.21.130.
The version 9.21.130 is fixed:
  https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/KM322544?lang=en&cc=us&hpappid=202392_SSO_PRO_HPE

HP Operations Orchestration: version 10.51.
The version 10.51 is fixed:
  http://support.openview.hp.com/selfsolve/document/LID/OO_00037

IBM DB2: version 10.1 Fix Pack 6.
The version 10.1 Fix Pack 6 is fixed.

IBM Domino, Notes: patch for Java Deserialization.
A patch is indicated in information sources.

IBM QRadar SIEM: patch for Apache Commons Collection.
A patch is indicated in information sources.

IBM Rational Application Developer: patch for Java Deserialization.
A patch is indicated in information sources.

IBM Rational ClearCase: solution for WebSphere AS.
The solution is indicated in information sources.

IBM SPSS Modeler: patch for Java Deserialization.
A patch is indicated in information sources.

IBM Tivoli Storage Manager: patch for Java Deserialization.
A patch is indicated in information sources.

IBM Tivoli Workload Scheduler: patch for Java Deserialization.
A patch is indicated in information sources.

Junos Space: fixed versions.
Fixed versions are indicated in information sources.

McAfee ePO: patch for Java Deserialization.
A patch is indicated in information sources.

Mule ESB: version 3.5.4.
The version 3.5.4 is fixed:
  https://www.mulesoft.com/

Mule ESB: version 3.7.3.
The version 3.7.3 is fixed:
  https://www.mulesoft.com/

NetApp Snap Creator Framework, SnapManager: patch for Java Deserialization.
A patch is available:
  Snap Creator Framework: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=967065
  SnapManager for Oracle: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=967068
  SnapManager for SAP: https://mysupport.netapp.com/NOW/cgi-bin/bol?Type=Detail&Display=967069

NetIQ Sentinel: version 7.4 SP1.
The version 7.4 SP1 is fixed:
  https://download.novell.com/Download?buildid=ZEMvbiAk5k8~

Oracle Communications: CPU of January 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2213301.1
  https://support.oracle.com/rs?type=doc&id=2213291.1
  https://support.oracle.com/rs?type=doc&id=2213292.1

Oracle Communications: CPU of July 2017.
A Critical Patch Update is available.

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

Oracle Communications: CPU of Octobre 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2451363.1
  https://support.oracle.com/rs?type=doc&id=2450339.1
  https://support.oracle.com/rs?type=doc&id=2450354.1
  https://support.oracle.com/rs?type=doc&id=2450340.1
  https://support.oracle.com/rs?type=doc&id=2452772.1
  https://support.oracle.com/rs?type=doc&id=2451007.1

Oracle Fusion Middleware: CPU of April 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2228898.1

Oracle Fusion Middleware: CPU of April 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2353306.1

Oracle Fusion Middleware: CPU of January 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2325393.1

Oracle Fusion Middleware: CPU of July 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2261562.1

Oracle Fusion Middleware: CPU of October 2016.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2171485.1

Oracle Fusion Middleware: CPU of October 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2296870.1

Oracle WebLogic Server: workaround for Java Deserialization.
A workaround is indicated in:
  https://support.oracle.com/rs?type=doc&id=2076338.1

Red Hat JBoss A-MQ: version 6.2.1.
The version 6.2.1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.2.1

Red Hat JBoss BPM Suite: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.2.0

Red Hat JBoss BRMS: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.2.0

Red Hat JBoss EAP: version 6.4.5.
The version 6.4.5 is fixed.

Red Hat JBoss Fuse: version 6.2.1.
The version 6.2.1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.2.1

Red Hat JBoss Operations Network: version 3.1.2 Hotfix 11.
The version 3.1.2 Hotfix 11 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.1.2

Red Hat JBoss Operations Network: version 3.3.5.
The version 3.3.5 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3

Red Hat JBoss: solution for Commons Collections.
The solution is indicated in information sources.

RHEL 5: new jakarta-commons-collections packages.
New packages are available:
  RHEL 5: jakarta-commons-collections 3.2-2jpp.4

RHEL 6.7: new jakarta-commons-collections packages.
New packages are available:
  RHEL 6: jakarta-commons-collections 3.2.1-3.5.el6_7

RHEL 7.2: new apache-commons-collections packages.
New packages are available:
  RHEL 7: apache-commons-collections 3.2.1-22.el7_2

RHEL: new rh-java-common-apache-commons-collections packages.
New packages are available:
  RHEL 6: rh-java-common-apache-commons-collections 3.2.1-21.13.el6
  RHEL 7: rh-java-common-apache-commons-collections 3.2.1-21.13.el7

SAS: solution for Java Deserialization.
The solution is indicated in information sources.

Solaris: patch for third party software of July 2016 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

VMware vCenter: solution for Java Deserialization.
The solution is indicated in information sources.

WebSphere AS: patch for Java Deserialization.
A patch is indicated in information sources.

WebSphere AS: version 7.0.0.41.
The version 7.0.0.41 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24041931

WebSphere AS: version 8.0.0.12.
The version 8.0.0.12 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24041590

WebSphere AS: version 8.5.5.8.
The version 8.5.5.8 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24041178
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides application vulnerability analysis. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.