[RHSA-2015:2502-01] Critical: Red Hat JBoss Data Grid 6.4.1 and 6.5.1 commons-collections security update
bugzilla at redhat.com
bugzilla at redhat.com
Fri Nov 20 19:20:45 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: Red Hat JBoss Data Grid 6.4.1 and 6.5.1 commons-collections security update
Advisory ID: RHSA-2015:2502-01
Product: Red Hat JBoss Data Grid
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2502.html
Issue date: 2015-11-20
CVE Names: CVE-2015-7501
=====================================================================
1. Summary:
An updated package for the apache commons-collections library, fixing one
security issue, is now available for Red Hat JBoss Data Grid 6.4.1 and
6.5.1 from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.
2. Description:
Red Hat JBoss Data Grid is a distributed in-memory data grid, based on
Infinispan.
It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)
Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023
All users of Red Hat JBoss Data Grid 6.4.1 and 6.5.1 as provided from
the Red Hat Customer Portal are advised to install this security patch.
3. Solution:
The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Data Grid installation.
4. Bugs fixed (https://bugzilla.redhat.com/):
1279330 - CVE-2015-7501 Apache commons-collections: Remote code execution during deserialisation
5. References:
https://access.redhat.com/security/cve/CVE-2015-7501
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/solutions/2045023
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=6.5.1
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=6.4.1
6. Contact:
The Red Hat security contact is <secalert at redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFWT3KMXlSAg2UNWIIRAi4TAJ0aW2b78qzXBcQaIPqsq4zCFLpqnACfVZmc
Ujlcd9hlgt0B559JyFxs1Xc=
=DB1N
-----END PGP SIGNATURE-----
More information about the RHSA-announce
mailing list