CVE-2015-7501
CRITICAL severity · CVSS 9.8 · Insecure deserialization
9.8CVSS CRITICAL
Summary
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)83%
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://rhn.redhat.com/errata/RHSA-2015-2500.html
- http://rhn.redhat.com/errata/RHSA-2015-2501.html
- http://rhn.redhat.com/errata/RHSA-2015-2502.html
- http://rhn.redhat.com/errata/RHSA-2015-2514.html
- http://rhn.redhat.com/errata/RHSA-2015-2516.html
- http://rhn.redhat.com/errata/RHSA-2015-2517.html
- http://rhn.redhat.com/errata/RHSA-2015-2521.html
- http://rhn.redhat.com/errata/RHSA-2015-2522.html