-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat JBoss Web Server 3.0.1 commons-collections security update Advisory ID: RHSA-2015:2548-01 Product: Red Hat JBoss Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-2548.html Issue date: 2015-12-04 CVE Names: CVE-2015-7501 ===================================================================== 1. Summary: An update for Red Hat JBoss Web Server 3.0.1 that fixes one security issue in the Apache commons-collections library is now available. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Web Server 3.0.1 are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied, and back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files). This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 5. References: https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches&product=webserver&version=3.0.1 https://access.redhat.com/solutions/2045023 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2015 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFWYcp4XlSAg2UNWIIRAhaYAJ4j8HXP3iVatPUQbDCWSbz4IwfGBQCaArjy m1nM39Q7LszNvSm04SZ9Hlo= =6+gW -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce