-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Critical: Red Hat JBoss Data Grid 6.4.1 and 6.5.1 commons-collections security update
Advisory ID:       RHSA-2015:2502-01
Product:           Red Hat JBoss Data Grid
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2015-2502.html
Issue date:        2015-11-20
CVE Names:         CVE-2015-7501 
=====================================================================

1. Summary:

An updated package for the apache commons-collections library, fixing one
security issue, is now available for Red Hat JBoss Data Grid 6.4.1 and
6.5.1 from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Critical security
impact. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available from the CVE link in the
References section.

2. Description:

Red Hat JBoss Data Grid is a distributed in-memory data grid, based on
Infinispan.

It was found that the Apache commons-collections library permitted code
execution when deserializing objects involving a specially constructed
chain of classes. A remote attacker could use this flaw to execute
arbitrary code with the permissions of the application using the
commons-collections library. (CVE-2015-7501)

Further information about this security flaw may be found at:
https://access.redhat.com/solutions/2045023

All users of Red Hat JBoss Data Grid 6.4.1 and 6.5.1 as provided from
the Red Hat Customer Portal are advised to install this security patch.

3. Solution:

The References section of this erratum contains a download link (you must
log in to download the update). Before applying this update, back up your
existing JBoss Data Grid installation.

4. Bugs fixed (https://bugzilla.redhat.com/):

1279330 - CVE-2015-7501 Apache commons-collections: Remote code execution during deserialisation

5. References:

https://access.redhat.com/security/cve/CVE-2015-7501
https://access.redhat.com/security/updates/classification/#critical
https://access.redhat.com/solutions/2045023
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=6.5.1
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.grid&downloadType=securityPatches&version=6.4.1

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFWT3KMXlSAg2UNWIIRAi4TAJ0aW2b78qzXBcQaIPqsq4zCFLpqnACfVZmc
Ujlcd9hlgt0B559JyFxs1Xc=
=DB1N
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce