Vulnerabilities > CVE-2015-7501 - Deserialization of Untrusted Data vulnerability in Redhat products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
redhat
CWE-502
critical
nessus

Summary

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2540.NASL
    descriptionUpdated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id87837
    published2016-01-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87837
    titleRHEL 7 : JBoss EAP (RHSA-2015:2540)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2015:2540. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87837);
      script_version("2.18");
      script_cvs_date("Date: 2019/10/24 15:35:40");
    
      script_cve_id("CVE-2015-5304", "CVE-2015-7501");
      script_xref(name:"RHSA", value:"2015:2540");
    
      script_name(english:"RHEL 7 : JBoss EAP (RHSA-2015:2540)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated packages that provide Red Hat JBoss Enterprise Application
    Platform 6.4.5 and fix two security issues, several bugs, and add
    various enhancements are now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having Critical
    security impact. Common Vulnerability Scoring System (CVSS) base
    scores, which give detailed severity ratings, are available for each
    vulnerability from the CVE links in the References section.
    
    Red Hat JBoss Enterprise Application Platform 6 is a platform for Java
    applications based on JBoss Application Server 7.
    
    It was found that the Apache commons-collections library permitted
    code execution when deserializing objects involving a specially
    constructed chain of classes. A remote attacker could use this flaw to
    execute arbitrary code with the permissions of the application using
    the commons-collections library. (CVE-2015-7501)
    
    Further information about the commons-collections flaw may be found
    at: https://access.redhat.com/solutions/2045023
    
    It was found that JBoss EAP did not properly authorize a user
    performing a shut down. A remote user with the Monitor, Deployer, or
    Auditor role could use this flaw to shut down the EAP server, which is
    an action restricted to admin users. (CVE-2015-5304)
    
    The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat
    Middleware Quality Engineering.
    
    This release serves as a replacement for Red Hat JBoss Enterprise
    Application Platform 6.4.4, and includes bug fixes and enhancements.
    Documentation for these changes is available from the link in the
    References section.
    
    All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red
    Hat Enterprise Linux 7 are advised to upgrade to these updated
    packages. The JBoss server process must be restarted for the update to
    take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2015:2540"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-5304"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-7501"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:apache-commons-collections-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-core-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-entitymanager-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-envers-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hibernate4-infinispan-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:hornetq");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-api-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-impl-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-common-spi-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-api-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-core-impl-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-deployers-common-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-jdbc-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-spec-api-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ironjacamar-validator-eap6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-appclient");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-cli");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-client-all");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-clustering");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-cmp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-configadmin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-connector");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-controller-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-core-security");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-repository");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-deployment-scanner");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-http");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-domain-management");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-ee-deployment");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-ejb3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-embedded");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-host-controller");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-jacorb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxr");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-jaxrs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-jdr");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-jmx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-jpa");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-jsr77");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-logging");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-mail");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-management-client-content");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-messaging");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-modcluster");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-naming");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-network");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-configadmin");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-osgi-service");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-picketlink");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-platform-mbean");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-pojo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-process-controller");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-protocol");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-remoting");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-sar");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-security");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-system-jmx");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-threads");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-transactions");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-version");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-web");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-webservices");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-weld");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-as-xts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-ejb-client");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-hal");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-jsf-api_2.1_spec");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-remoting3");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-security-negotiation");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jboss-xnio-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-appclient");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-bundles");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-domain");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-javadocs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-modules-eap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-product-eap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-standalone");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossas-welcome-content-eap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jbossweb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:picketbox");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/12/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2015:2540";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
    
      if (! (rpm_exists(release:"RHEL7", rpm:"jbossas-welcome-content-eap"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "JBoss EAP");
    
      if (rpm_check(release:"RHEL7", reference:"apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-core-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-entitymanager-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-envers-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hibernate4-infinispan-eap6-4.2.21-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"hornetq-2.3.25-7.SP6_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-common-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-common-impl-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-common-spi-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-core-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-core-impl-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-deployers-common-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-jdbc-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-spec-api-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"ironjacamar-validator-eap6-1.0.34-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-appclient-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-cli-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-client-all-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-clustering-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-cmp-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-connector-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-console-2.5.11-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-controller-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-controller-client-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-core-security-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-deployment-repository-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-deployment-scanner-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-domain-http-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-domain-management-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-ee-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-ee-deployment-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-ejb3-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-embedded-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-host-controller-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-jacorb-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-jaxr-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-jaxrs-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-jdr-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-jmx-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-jpa-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-jsf-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-jsr77-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-logging-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-mail-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-management-client-content-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-messaging-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-modcluster-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-naming-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-network-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-osgi-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-osgi-configadmin-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-osgi-service-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-picketlink-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-platform-mbean-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-pojo-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-process-controller-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-protocol-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-remoting-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-sar-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-security-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-server-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-system-jmx-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-threads-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-transactions-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-version-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-web-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-webservices-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-weld-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-as-xts-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-ejb-client-1.0.32-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-hal-2.5.11-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-jsf-api_2.1_spec-2.1.28-5.SP1_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-remoting3-3.3.6-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-security-negotiation-2.3.10-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jboss-xnio-base-3.0.15-1.GA_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossas-appclient-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossas-bundles-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossas-core-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossas-domain-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossas-javadocs-7.5.5-3.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossas-modules-eap-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossas-product-eap-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossas-standalone-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossas-welcome-content-eap-7.5.5-2.Final_redhat_3.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"jbossweb-7.5.12-1.Final_redhat_1.1.ep6.el7")) flag++;
      if (rpm_check(release:"RHEL7", reference:"picketbox-4.1.2-1.Final_redhat_1.1.ep6.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache-commons-collections-eap6 / hibernate4-core-eap6 / etc");
      }
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-2522.NASL
    descriptionFrom Red Hat Security Advisory 2015:2522 : Updated apache-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-06-01
    modified2020-06-02
    plugin id87119
    published2015-12-01
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87119
    titleOracle Linux 7 : apache-commons-collections (ELSA-2015-2522)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2015:2522 and 
    # Oracle Linux Security Advisory ELSA-2015-2522 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87119);
      script_version("2.14");
      script_cvs_date("Date: 2019/09/27 13:00:36");
    
      script_cve_id("CVE-2015-7501");
      script_xref(name:"RHSA", value:"2015:2522");
    
      script_name(english:"Oracle Linux 7 : apache-commons-collections (ELSA-2015-2522)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2015:2522 :
    
    Updated apache-commons-collections packages that fix one security
    issue are now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having Important
    security impact. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available from the
    CVE link in the References section.
    
    The Apache Commons Collections library provides new interfaces,
    implementations, and utilities to extend the features of the Java
    Collections Framework.
    
    It was found that the Apache commons-collections library permitted
    code execution when deserializing objects involving a specially
    constructed chain of classes. A remote attacker could use this flaw to
    execute arbitrary code with the permissions of the application using
    the commons-collections library. (CVE-2015-7501)
    
    With this update, deserialization of certain classes in the
    commons-collections library is no longer allowed. Applications that
    require those classes to be deserialized can use the system property
    'org.apache.commons.collections.enableUnsafeSerialization' to
    re-enable their deserialization.
    
    Further information about this security flaw may be found at:
    https://access.redhat.com/solutions/2045023
    
    All users of apache-commons-collections are advised to upgrade to
    these updated packages, which contain a backported patch to correct
    this issue. All running applications using the commons-collections
    library must be restarted for the update to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2015-November/005594.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected apache-commons-collections packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:apache-commons-collections");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:apache-commons-collections-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:apache-commons-collections-testframework");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:apache-commons-collections-testframework-javadoc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/11/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"apache-commons-collections-3.2.1-22.el7_2")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"apache-commons-collections-javadoc-3.2.1-22.el7_2")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"apache-commons-collections-testframework-3.2.1-22.el7_2")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"apache-commons-collections-testframework-javadoc-3.2.1-22.el7_2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache-commons-collections / apache-commons-collections-javadoc / etc");
    }
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2015-618.NASL
    descriptionIt was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
    last seen2020-06-01
    modified2020-06-02
    plugin id87344
    published2015-12-15
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/87344
    titleAmazon Linux AMI : apache-commons-collections (ALAS-2015-618)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2015-618.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87344);
      script_version("2.12");
      script_cvs_date("Date: 2018/04/18 15:09:35");
    
      script_cve_id("CVE-2015-7501");
      script_xref(name:"ALAS", value:"2015-618");
    
      script_name(english:"Amazon Linux AMI : apache-commons-collections (ALAS-2015-618)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was found that the Apache commons-collections library permitted
    code execution when deserializing objects involving a specially
    constructed chain of classes. A remote attacker could use this flaw to
    execute arbitrary code with the permissions of the application using
    the commons-collections library."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2015-618.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update apache-commons-collections' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:apache-commons-collections");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:apache-commons-collections-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:apache-commons-collections-testframework");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:apache-commons-collections-testframework-javadoc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/12/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"apache-commons-collections-3.2.1-11.9.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"apache-commons-collections-javadoc-3.2.1-11.9.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"apache-commons-collections-testframework-3.2.1-11.9.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"apache-commons-collections-testframework-javadoc-3.2.1-11.9.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache-commons-collections / apache-commons-collections-javadoc / etc");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-2521.NASL
    descriptionUpdated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-06-01
    modified2020-06-02
    plugin id87174
    published2015-12-03
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87174
    titleCentOS 6 : jakarta-commons-collections (CESA-2015:2521)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2015:2521 and 
    # CentOS Errata and Security Advisory 2015:2521 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87174);
      script_version("2.15");
      script_cvs_date("Date: 2020/01/02");
    
      script_cve_id("CVE-2015-7501");
      script_xref(name:"RHSA", value:"2015:2521");
    
      script_name(english:"CentOS 6 : jakarta-commons-collections (CESA-2015:2521)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated jakarta-commons-collections packages that fix one security
    issue are now available for Red Hat Enterprise Linux 6.
    
    Red Hat Product Security has rated this update as having Important
    security impact. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available from the
    CVE link in the References section.
    
    The Jakarta/Apache Commons Collections library provides new
    interfaces, implementations, and utilities to extend the features of
    the Java Collections Framework.
    
    It was found that the Apache commons-collections library permitted
    code execution when deserializing objects involving a specially
    constructed chain of classes. A remote attacker could use this flaw to
    execute arbitrary code with the permissions of the application using
    the commons-collections library. (CVE-2015-7501)
    
    With this update, deserialization of certain classes in the
    commons-collections library is no longer allowed. Applications that
    require those classes to be deserialized can use the system property
    'org.apache.commons.collections.enableUnsafeSerialization' to
    re-enable their deserialization.
    
    Further information about this security flaw may be found at:
    https://access.redhat.com/solutions/2045023
    
    All users of jakarta-commons-collections are advised to upgrade to
    these updated packages, which contain a backported patch to correct
    this issue. All running applications using the commons-collections
    library must be restarted for the update to take effect."
      );
      # https://lists.centos.org/pipermail/centos-announce/2015-December/021512.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?cd1e83b8"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected jakarta-commons-collections packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-7501");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:jakarta-commons-collections");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:jakarta-commons-collections-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:jakarta-commons-collections-testframework");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:jakarta-commons-collections-testframework-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:jakarta-commons-collections-tomcat5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/12/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-6", reference:"jakarta-commons-collections-3.2.1-3.5.el6_7")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"jakarta-commons-collections-javadoc-3.2.1-3.5.el6_7")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"jakarta-commons-collections-testframework-3.2.1-3.5.el6_7")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"jakarta-commons-collections-testframework-javadoc-3.2.1-3.5.el6_7")) flag++;
    if (rpm_check(release:"CentOS-6", reference:"jakarta-commons-collections-tomcat5-3.2.1-3.5.el6_7")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jakarta-commons-collections / jakarta-commons-collections-javadoc / etc");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2671.NASL
    descriptionUpdated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-06-01
    modified2020-06-02
    plugin id87519
    published2015-12-21
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87519
    titleRHEL 5 : jakarta-commons-collections (RHSA-2015:2671)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2015:2671. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(87519);
      script_version("2.18");
      script_cvs_date("Date: 2019/10/24 15:35:40");
    
      script_cve_id("CVE-2015-7501");
      script_xref(name:"RHSA", value:"2015:2671");
    
      script_name(english:"RHEL 5 : jakarta-commons-collections (RHSA-2015:2671)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated jakarta-commons-collections packages that fix one security
    issue are now available for Red Hat Enterprise Linux 5.
    
    Red Hat Product Security has rated this update as having Important
    security impact. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available from the
    CVE link in the References section.
    
    The Jakarta/Apache Commons Collections library provides new
    interfaces, implementations, and utilities to extend the features of
    the Java Collections Framework.
    
    It was found that the Apache commons-collections library permitted
    code execution when deserializing objects involving a specially
    constructed chain of classes. A remote attacker could use this flaw to
    execute arbitrary code with the permissions of the application using
    the commons-collections library. (CVE-2015-7501)
    
    With this update, deserialization of certain classes in the
    commons-collections library is no longer allowed. Applications that
    require those classes to be deserialized can use the system property
    'org.apache.commons.collections.enableUnsafeSerialization' to
    re-enable their deserialization.
    
    Further information about this security flaw may be found at:
    https://access.redhat.com/solutions/2045023
    
    All users of jakarta-commons-collections are advised to upgrade to
    these updated packages, which contain a backported patch to correct
    this issue. All running applications using the commons-collections
    library must be restarted for the update to take effect."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/solutions/2045023"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2015:2671"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-7501"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-collections");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-collections-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-collections-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-collections-testframework");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-collections-testframework-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-collections-tomcat5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/12/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^5([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2015:2671";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"jakarta-commons-collections-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"jakarta-commons-collections-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"jakarta-commons-collections-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"jakarta-commons-collections-debuginfo-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"jakarta-commons-collections-debuginfo-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"jakarta-commons-collections-debuginfo-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"jakarta-commons-collections-javadoc-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"jakarta-commons-collections-javadoc-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"jakarta-commons-collections-javadoc-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"jakarta-commons-collections-testframework-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"jakarta-commons-collections-testframework-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"jakarta-commons-collections-testframework-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"jakarta-commons-collections-testframework-javadoc-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"i386", reference:"jakarta-commons-collections-tomcat5-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"jakarta-commons-collections-tomcat5-3.2-2jpp.4")) flag++;
      if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"jakarta-commons-collections-tomcat5-3.2-2jpp.4")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jakarta-commons-collections / jakarta-commons-collections-debuginfo / etc");
      }
    }
    
  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_3_1_6_7959.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.1.x prior to 3.1.6.7959. It is, therefore, affected by a remote code execution vulnerability in the JMXInvokerServlet interface due to improper validation of Java objects before deserialization. An authenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501)
    last seen2020-06-01
    modified2020-06-02
    plugin id96768
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96768
    titleMySQL Enterprise Monitor 3.1.x < 3.1.6.7959 Java Object Deserialization RCE (January 2017 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96768);
      script_version("1.6");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id("CVE-2015-7501");
      script_bugtraq_id(78215);
      script_xref(name:"CERT", value:"576313");
    
      script_name(english:"MySQL Enterprise Monitor 3.1.x < 3.1.6.7959 Java Object Deserialization RCE (January 2017 CPU)");
      script_summary(english:"Checks the version of MySQL Enterprise Monitor.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A web application running on the remote host is affected by a remote
    code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the MySQL Enterprise Monitor
    application running on the remote host is 3.1.x prior to 3.1.6.7959.
    It is, therefore, affected by a remote code execution vulnerability in
    the JMXInvokerServlet interface due to improper validation of Java
    objects before deserialization. An authenticated, remote attacker can
    exploit this to execute arbitrary code. (CVE-2015-7501)");
      # https://dev.mysql.com/doc/relnotes/mysql-monitor/3.1/en/news-3-1-6.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0752b1b7");
      # http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixMSQL
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1c38e52");
      # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL Enterprise Monitor version 3.1.6.7959 or later as
    referenced in the January 2017 Oracle Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:U/RC:X");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-7501");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/25");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql_enterprise_monitor");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mysql_enterprise_monitor_web_detect.nasl");
      script_require_keys("installed_sw/MySQL Enterprise Monitor", "Settings/ParanoidReport");
      script_require_ports("Services/www", 18443);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    app  = "MySQL Enterprise Monitor";
    get_install_count(app_name:app, exit_if_zero:TRUE);
    port = get_http_port(default:18443);
    
    install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE);
    version = install['version'];
    install_url = build_url(port:port, qs:"/");
    
    fix = "3.1.6.7959";
    vuln = FALSE;
    if (version =~ "^3\.1($|[^0-9])" && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
      vuln = TRUE;;
    
    if (vuln)
    {
      report =
        '\n  URL               : ' + install_url +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fix +
        '\n';
      security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
    }
    else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);
    
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_SPACE_JSA_10838.NASL
    descriptionAccording to its self-reported version number, the remote Junos Space version is prior to 17.2R1. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id108520
    published2018-03-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108520
    titleJuniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(108520);
      script_version("1.7");
      script_cvs_date("Date: 2019/06/11 15:17:50");
    
      script_cve_id(
        "CVE-2015-5174",
        "CVE-2015-5188",
        "CVE-2015-5220",
        "CVE-2015-5304",
        "CVE-2015-7236",
        "CVE-2015-7501",
        "CVE-2016-2141",
        "CVE-2016-8743",
        "CVE-2017-1000111",
        "CVE-2017-1000112",
        "CVE-2017-12172",
        "CVE-2017-14106",
        "CVE-2017-15098",
        "CVE-2017-3167",
        "CVE-2017-3169",
        "CVE-2017-5645",
        "CVE-2017-5664",
        "CVE-2017-7668",
        "CVE-2017-7679",
        "CVE-2017-9788",
        "CVE-2017-9798",
        "CVE-2018-0011",
        "CVE-2018-0012",
        "CVE-2018-0013"
      );
      script_bugtraq_id(
        57974,
        76771,
        77345,
        78215,
        79788,
        83329,
        91481,
        95077,
        97702,
        98888,
        99134,
        99135,
        99137,
        99170,
        99569,
        100262,
        100267,
        100872,
        100878,
        101781,
        101949
      );
    
      script_name(english:"Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)");
      script_summary(english:"Checks the version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote device is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the remote Junos Space
    version is prior to 17.2R1. It is, therefore, affected by multiple
    vulnerabilities.");
      script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10838");
      script_set_attribute(attribute:"solution", value:"Upgrade to Junos Space 17.2R1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:juniper:junos_space");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Junos Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/Junos_Space/version");
    
      exit(0);
    }
    
    include("junos.inc");
    include("misc_func.inc");
    
    ver = get_kb_item_or_exit('Host/Junos_Space/version');
    
    check_junos_space(ver:ver, fix:'17.2R1', severity:SECURITY_HOLE);
    
  • NASL familyMisc.
    NASL idORACLE_BI_PUBLISHER_APR_2018_CPU.NASL
    descriptionThe version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.7.x prior to 11.1.1.7.180417 or 11.1.1.9.x prior to 11.1.1.9.180417, similarly, versions 12.2.1.2.x prior to 12.2.1.2.180116 and 12.2.1.3.x prior to 12.2.1.3.180116 are affected as noted in the April 2018 Critical Patch Update advisory. The Oracle Business Intelligence Publisher installed on the remote host is affected by multiple vulnerabilities: - A vulnerability can be exploited by a remote attacker by sending a crafted serialized Java object. A successful attack would allow the attacker to execute arbitrary commands on the vulnerable server (CVE-2015-7501). - A vulnerability exists on Apache Batik before 1.9. The vulnerability would allow an attacker to send a malicious SVG file to a user. An attacker who successfully exploits this vulnerability could result in the compromise of the server (CVE-2017-5662). Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-05-31
    modified2018-12-28
    plugin id119939
    published2018-12-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119939
    titleOracle Business Intelligence Publisher Multiple Vulnerabilities (April 2018 CPU)
  • NASL familyWeb Servers
    NASL idJBOSS_JAVA_SERIALIZE.NASL
    descriptionThe remote JBoss server is affected by multiple remote code execution vulnerabilities : - A flaw exists due to the JMXInvokerHAServlet and EJBInvokerHAServlet invoker servlets not properly restricting access to profiles. A remote attacker can exploit this issue to bypass authentication and invoke MBean methods, allowing arbitrary code to be executed in the context of the user running the server. (CVE-2012-0874) - The remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted RMI request, to execute arbitrary code on the target host. (CVE-2015-7501)
    last seen2020-06-01
    modified2020-06-02
    plugin id87312
    published2015-12-10
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87312
    titleJBoss Java Object Deserialization RCE
  • NASL familyWindows
    NASL idORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL
    descriptionOracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities. - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Install (Apache Common Collections)). An unauthenticated, remote attacker can exploit this, via a crafted serialized Java object, to bypass authentication and execute arbitrary commands. (CVE-2015-7501) - An unspecified vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server). An unauthenticated, remote attacker can exploit this, via HTTP, to obtain access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. (CVE-2017-3542) - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Struts 2)) due to incorrect exception handling and error-message generation during file-upload attempts. An unauthenticated, remote attacker can exploit this, via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, to bypass authentication and execute arbitrary commands. (CVE-2017-5638) In addition, Oracle WebCenter Sites is also affected by several additional vulnerabilities including code execution, denial of service, information disclosure, and other unspecified vulnerabilities. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-05
    modified2020-06-01
    plugin id136998
    published2020-06-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136998
    titleOracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)
  • NASL familyMisc.
    NASL idORACLE_WEBLOGIC_SERVER_CPU_OCT_2016.NASL
    descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the JMXInvokerServlet interface due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501) - An unspecified flaw exists in the Java Server Faces subcomponent that allows an authenticated, remote attacker to execute arbitrary code. (CVE-2016-3505) - An unspecified flaw exists in the Web Container subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-5488) - An unspecified flaw exists in the WLS-WebServices subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-5531) - An unspecified flaw that allows an unauthenticated, remote attacker to execute arbitrary code. No other details are available. (CVE-2016-5535) - An unspecified flaw exists in the CIE Related subcomponent that allows a local attacker to impact confidentiality and integrity. (CVE-2016-5601)
    last seen2020-06-01
    modified2020-06-02
    plugin id94290
    published2016-10-26
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94290
    titleOracle WebLogic Server Multiple Vulnerabilities (October 2016 CPU)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2522.NASL
    descriptionUpdated apache-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-06-01
    modified2020-06-02
    plugin id87179
    published2015-12-03
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87179
    titleRHEL 7 : apache-commons-collections (RHSA-2015:2522)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-2671.NASL
    descriptionUpdated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-06-01
    modified2020-06-02
    plugin id87540
    published2015-12-22
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87540
    titleCentOS 5 : jakarta-commons-collections (CESA-2015:2671)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20151130_APACHE_COMMONS_COLLECTIONS_ON_SL7_X.NASL
    descriptionIt was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons- collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons- collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-03-18
    modified2015-12-01
    plugin id87120
    published2015-12-01
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87120
    titleScientific Linux Security Update : apache-commons-collections on SL7.x (noarch) (20151130)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2538.NASL
    descriptionUpdated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id87192
    published2015-12-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87192
    titleRHEL 5 : JBoss EAP (RHSA-2015:2538)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1773.NASL
    descriptionAn update is now available for Red Hat OpenShift Enterprise 2.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenShift Enterprise by Red Hat is the company
    last seen2020-06-01
    modified2020-06-02
    plugin id119378
    published2018-12-04
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119378
    titleRHEL 6 : Red Hat OpenShift Enterprise 2.2.10 (RHSA-2016:1773)
  • NASL familyMisc.
    NASL idORACLE_IDENTITY_MANAGEMENT_CPU_JAN_2018.NASL
    descriptionThe remote host is missing the January 2018 Critical Patch Update for Oracle Identity Manager. It is, therefore, affected by multiple vulnerabilities as described in the January 2018 critical patch update advisory.
    last seen2020-06-01
    modified2020-06-02
    plugin id106140
    published2018-01-18
    reporterThis script is Copyright (C) 2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/106140
    titleOracle Identity Manager Multiple Vulnerabilities (January 2018 CPU)
  • NASL familyMisc.
    NASL idORACLE_OATS_CPU_APR_2016.NASL
    descriptionThe version of Oracle Application Testing Suite installed on the remote host is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted SOAP request, to execute arbitrary code on the target host.
    last seen2020-06-01
    modified2020-06-02
    plugin id90859
    published2016-05-03
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90859
    titleOracle Application Testing Suite Java Object Deserialization RCE (April 2016 CPU)
  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_3_2_2_1075.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.2.1075. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the bundled version of Apache Tomcat in the Manager and Host Manager web applications due to a flaw in the index page when issuing redirects in response to unauthenticated requests for the root directory of the application. An authenticated, remote attacker can exploit this to gain access to the XSRF token information stored in the index page. (CVE-2015-5351) - A remote code execution vulnerability exists in the JMXInvokerServlet interface due to improper validation of Java objects before deserialization. An authenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2015-7501) - A remote code execution vulnerability exists in the Framework subcomponent that allows an authenticated, remote attacker to execute arbitrary code. (CVE-2016-0635) - An information disclosure vulnerability exists in the bundled version of Apache Tomcat that allows a specially crafted web application to load the StatusManagerServlet. An authenticated, remote attacker can exploit this to gain unauthorized access to a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. (CVE-2016-0706) - A remote code execution vulnerability exists in the bundled version of Apache Tomcat due to a flaw in the StandardManager, PersistentManager, and cluster implementations that is triggered when handling persistent sessions. An authenticated, remote attacker can exploit this, via a crafted object in a session, to bypass the security manager and execute arbitrary code. (CVE-2016-0714) - A security bypass vulnerability exists in the bundled version of Apache Tomcat due to a failure to consider whether ResourceLinkFactory.setGlobalContext callers are authorized. An authenticated, remote attacker can exploit this, via a web application that sets a crafted global context, to bypass intended SecurityManager restrictions and read or write to arbitrary application data or cause a denial of service condition. (CVE-2016-0763)
    last seen2020-06-01
    modified2020-06-02
    plugin id96769
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96769
    titleMySQL Enterprise Monitor 3.2.x < 3.2.2.1075 Multiple Vulnerabilities (January 2017 CPU)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-2671.NASL
    descriptionFrom Red Hat Security Advisory 2015:2671 : Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-06-01
    modified2020-06-02
    plugin id87547
    published2015-12-22
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87547
    titleOracle Linux 5 : jakarta-commons-collections (ELSA-2015-2671)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2539.NASL
    descriptionUpdated packages that provide Red Hat JBoss Enterprise Application Platform 6.4.5 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.4, and includes bug fixes and enhancements. Documentation for these changes is available from the link in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id87193
    published2015-12-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87193
    titleRHEL 6 : JBoss EAP (RHSA-2015:2539)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2542.NASL
    descriptionUpdated jboss-ec2-eap packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat JBoss Enterprise Application Platform 6.4.4 on Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about the commons-collections flaw may be found at: https://access.redhat.com/solutions/2045023 It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users. (CVE-2015-5304) The CVE-2015-5304 issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.5. Documentation for these changes is available from the link in the References section. All jboss-ec2-eap users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id87194
    published2015-12-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87194
    titleRHEL 6 : JBoss EAP (RHSA-2015:2542)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2536.NASL
    descriptionUpdated packages that fix one security issue for the Apache commons-collections library for Red Hat JBoss Enterprise Application Platform 6.3 are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Enterprise Application Platform 6.3 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id87191
    published2015-12-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87191
    titleRHEL 5 / 6 / 7 : JBoss EAP (RHSA-2015:2536)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2521.NASL
    descriptionUpdated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-06-01
    modified2020-06-02
    plugin id87102
    published2015-11-30
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87102
    titleRHEL 6 : jakarta-commons-collections (RHSA-2015:2521)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-2521.NASL
    descriptionFrom Red Hat Security Advisory 2015:2521 : Updated jakarta-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Jakarta/Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-06-01
    modified2020-06-02
    plugin id87118
    published2015-12-01
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87118
    titleOracle Linux 6 : jakarta-commons-collections (ELSA-2015-2521)
  • NASL familyWeb Servers
    NASL idSUN_JAVA_WEB_SERVER_7_0_27.NASL
    descriptionAccording to its self-reported version, the Oracle iPlanet Web Server (formerly known as Sun Java System Web Server) running on the remote host is 7.0.x prior to 7.0.27 Patch 26834070. It is, therefore, affected by an unspecified vulnerability in the Network Security Services (NSS) library with unknown impact.
    last seen2020-06-01
    modified2020-06-02
    plugin id106349
    published2018-01-25
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106349
    titleOracle iPlanet Web Server 7.0.x < 7.0.27 NSS Unspecified Vulnerability (January 2018 CPU)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20151130_JAKARTA_COMMONS_COLLECTIONS_ON_SL6_X.NASL
    descriptionIt was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons- collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons- collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-03-18
    modified2015-12-01
    plugin id87121
    published2015-12-01
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87121
    titleScientific Linux Security Update : jakarta-commons-collections on SL6.x (noarch) (20151130)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20151221_JAKARTA_COMMONS_COLLECTIONS_ON_SL5_X.NASL
    descriptionIt was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons- collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons- collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-03-18
    modified2015-12-22
    plugin id87587
    published2015-12-22
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87587
    titleScientific Linux Security Update : jakarta-commons-collections on SL5.x i386/x86_64 (20151221)
  • NASL familyWeb Servers
    NASL idORACLE_HTTP_SERVER_CPU_JAN_2018.NASL
    descriptionThe version of Oracle HTTP Server installed on the remote host is affected by multiple vulnerabilities as noted in the January 2018 CPU advisory.
    last seen2020-03-18
    modified2018-01-24
    plugin id106299
    published2018-01-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106299
    titleOracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2018 CPU)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-2522.NASL
    descriptionUpdated apache-commons-collections packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Apache Commons Collections library provides new interfaces, implementations, and utilities to extend the features of the Java Collections Framework. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) With this update, deserialization of certain classes in the commons-collections library is no longer allowed. Applications that require those classes to be deserialized can use the system property
    last seen2020-06-01
    modified2020-06-02
    plugin id87161
    published2015-12-02
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87161
    titleCentOS 7 : apache-commons-collections (CESA-2015:2522)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2500.NASL
    descriptionUpdated packages for the Apache commons-collections library for Red Hat JBoss Enterprise Application Platform 6.4, which fix one security issue, are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5, 6, and 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id87044
    published2015-11-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87044
    titleRHEL 5 / 6 / 7 : JBoss EAP (RHSA-2015:2500)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-2535.NASL
    descriptionUpdated packages for the Apache commons-collections library for Red Hat JBoss Enterprise Application Platform 5.2, which fix one security issue, are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat JBoss Enterprise Application Platform 5 is a platform for Java applications based on JBoss Application Server 6. It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501) Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023 All users of Red Hat JBoss Enterprise Application Platform 5.2 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen2020-06-01
    modified2020-06-02
    plugin id87190
    published2015-12-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87190
    titleRHEL 5 / 6 : JBoss EAP (RHSA-2015:2535)

Redhat

advisories
  • bugzilla
    id1279330
    titleCVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentjakarta-commons-collections is earlier than 0:3.2.1-3.5.el6_7
            ovaloval:com.redhat.rhsa:tst:20152521001
          • commentjakarta-commons-collections is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152521002
        • AND
          • commentjakarta-commons-collections-tomcat5 is earlier than 0:3.2.1-3.5.el6_7
            ovaloval:com.redhat.rhsa:tst:20152521003
          • commentjakarta-commons-collections-tomcat5 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152521004
        • AND
          • commentjakarta-commons-collections-testframework-javadoc is earlier than 0:3.2.1-3.5.el6_7
            ovaloval:com.redhat.rhsa:tst:20152521005
          • commentjakarta-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152521006
        • AND
          • commentjakarta-commons-collections-testframework is earlier than 0:3.2.1-3.5.el6_7
            ovaloval:com.redhat.rhsa:tst:20152521007
          • commentjakarta-commons-collections-testframework is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152521008
        • AND
          • commentjakarta-commons-collections-javadoc is earlier than 0:3.2.1-3.5.el6_7
            ovaloval:com.redhat.rhsa:tst:20152521009
          • commentjakarta-commons-collections-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152521010
    rhsa
    idRHSA-2015:2521
    released2015-11-30
    severityImportant
    titleRHSA-2015:2521: jakarta-commons-collections security update (Important)
  • bugzilla
    id1279330
    titleCVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentapache-commons-collections-javadoc is earlier than 0:3.2.1-22.el7_2
            ovaloval:com.redhat.rhsa:tst:20152522001
          • commentapache-commons-collections-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152522002
        • AND
          • commentapache-commons-collections-testframework-javadoc is earlier than 0:3.2.1-22.el7_2
            ovaloval:com.redhat.rhsa:tst:20152522003
          • commentapache-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152522004
        • AND
          • commentapache-commons-collections is earlier than 0:3.2.1-22.el7_2
            ovaloval:com.redhat.rhsa:tst:20152522005
          • commentapache-commons-collections is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152522006
        • AND
          • commentapache-commons-collections-testframework is earlier than 0:3.2.1-22.el7_2
            ovaloval:com.redhat.rhsa:tst:20152522007
          • commentapache-commons-collections-testframework is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152522008
    rhsa
    idRHSA-2015:2522
    released2015-11-30
    severityImportant
    titleRHSA-2015:2522: apache-commons-collections security update (Important)
  • bugzilla
    id1279330
    titleCVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 5 is installed
        ovaloval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • commentjakarta-commons-collections-tomcat5 is earlier than 0:3.2-2jpp.4
            ovaloval:com.redhat.rhsa:tst:20152671001
          • commentjakarta-commons-collections-tomcat5 is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20152671002
        • AND
          • commentjakarta-commons-collections-testframework is earlier than 0:3.2-2jpp.4
            ovaloval:com.redhat.rhsa:tst:20152671003
          • commentjakarta-commons-collections-testframework is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20152671004
        • AND
          • commentjakarta-commons-collections-javadoc is earlier than 0:3.2-2jpp.4
            ovaloval:com.redhat.rhsa:tst:20152671005
          • commentjakarta-commons-collections-javadoc is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20152671006
        • AND
          • commentjakarta-commons-collections is earlier than 0:3.2-2jpp.4
            ovaloval:com.redhat.rhsa:tst:20152671007
          • commentjakarta-commons-collections is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20152671008
        • AND
          • commentjakarta-commons-collections-testframework-javadoc is earlier than 0:3.2-2jpp.4
            ovaloval:com.redhat.rhsa:tst:20152671009
          • commentjakarta-commons-collections-testframework-javadoc is signed with Red Hat redhatrelease key
            ovaloval:com.redhat.rhsa:tst:20152671010
    rhsa
    idRHSA-2015:2671
    released2015-12-21
    severityImportant
    titleRHSA-2015:2671: jakarta-commons-collections security update (Important)
  • rhsa
    idRHSA-2015:2500
  • rhsa
    idRHSA-2015:2501
  • rhsa
    idRHSA-2015:2502
  • rhsa
    idRHSA-2015:2514
  • rhsa
    idRHSA-2015:2516
  • rhsa
    idRHSA-2015:2517
  • rhsa
    idRHSA-2015:2524
  • rhsa
    idRHSA-2015:2536
  • rhsa
    idRHSA-2015:2670
  • rhsa
    idRHSA-2016:0040
  • rhsa
    idRHSA-2016:1773
rpms
  • apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5
  • apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6
  • apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7
  • jakarta-commons-collections-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-javadoc-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-testframework-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-testframework-javadoc-0:3.2.1-3.5.el6_7
  • jakarta-commons-collections-tomcat5-0:3.2.1-3.5.el6_7
  • apache-commons-collections-0:3.2.1-22.el7_2
  • apache-commons-collections-javadoc-0:3.2.1-22.el7_2
  • apache-commons-collections-testframework-0:3.2.1-22.el7_2
  • apache-commons-collections-testframework-javadoc-0:3.2.1-22.el7_2
  • rh-java-common-apache-commons-collections-0:3.2.1-21.13.el6
  • rh-java-common-apache-commons-collections-0:3.2.1-21.13.el7
  • rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el6
  • rh-java-common-apache-commons-collections-javadoc-0:3.2.1-21.13.el7
  • rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el6
  • rh-java-common-apache-commons-collections-testframework-0:3.2.1-21.13.el7
  • rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el6
  • rh-java-common-apache-commons-collections-testframework-javadoc-0:3.2.1-21.13.el7
  • jakarta-commons-collections-0:3.2.1-5.ep5.el4
  • jakarta-commons-collections-0:3.2.1-5.ep5.el5
  • jakarta-commons-collections-0:3.2.1-5.ep5.el6
  • jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el4
  • jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el5
  • jakarta-commons-collections-tomcat5-0:3.2.1-5.ep5.el6
  • apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el5
  • apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el6
  • apache-commons-collections-eap6-0:3.2.1-16.redhat_5.1.ep6.el7
  • apache-commons-collections-eap6-0:3.2.1-18.redhat_7.1.ep6.el5
  • hibernate4-core-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el5
  • hibernate4-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el5
  • hibernate4-entitymanager-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el5
  • hibernate4-envers-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el5
  • hibernate4-infinispan-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el5
  • hornetq-0:2.3.25-7.SP6_redhat_1.1.ep6.el5
  • ironjacamar-common-api-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • ironjacamar-common-impl-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • ironjacamar-common-spi-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • ironjacamar-core-api-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • ironjacamar-core-impl-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • ironjacamar-deployers-common-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • ironjacamar-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • ironjacamar-jdbc-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • ironjacamar-spec-api-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • ironjacamar-validator-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el5
  • jboss-as-appclient-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-cli-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-client-all-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-clustering-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-cmp-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-configadmin-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-connector-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-console-0:2.5.11-1.Final_redhat_1.1.ep6.el5
  • jboss-as-controller-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-controller-client-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-core-security-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-deployment-repository-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-deployment-scanner-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-domain-http-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-domain-management-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-ee-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-ee-deployment-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-ejb3-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-embedded-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-host-controller-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jacorb-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jaxr-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jaxrs-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jdr-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jmx-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jpa-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jsf-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-jsr77-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-logging-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-mail-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-management-client-content-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-messaging-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-modcluster-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-naming-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-network-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-osgi-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-osgi-configadmin-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-osgi-service-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-picketlink-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-platform-mbean-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-pojo-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-process-controller-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-protocol-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-remoting-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-sar-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-security-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-server-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-system-jmx-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-threads-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-transactions-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-version-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-web-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-webservices-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-weld-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-as-xts-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jboss-ejb-client-0:1.0.32-1.Final_redhat_1.1.ep6.el5
  • jboss-hal-0:2.5.11-1.Final_redhat_1.1.ep6.el5
  • jboss-jsf-api_2.1_spec-0:2.1.28-5.SP1_redhat_1.1.ep6.el5
  • jboss-remoting3-0:3.3.6-1.Final_redhat_1.1.ep6.el5
  • jboss-security-negotiation-0:2.3.10-1.Final_redhat_1.1.ep6.el5
  • jboss-xnio-base-0:3.0.15-1.GA_redhat_1.1.ep6.el5
  • jbossas-appclient-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jbossas-bundles-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jbossas-core-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jbossas-domain-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jbossas-javadocs-0:7.5.5-3.Final_redhat_3.1.ep6.el5
  • jbossas-modules-eap-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jbossas-product-eap-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jbossas-standalone-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jbossas-welcome-content-eap-0:7.5.5-2.Final_redhat_3.1.ep6.el5
  • jbossweb-0:7.5.12-1.Final_redhat_1.1.ep6.el5
  • picketbox-0:4.1.2-1.Final_redhat_1.1.ep6.el5
  • apache-commons-collections-eap6-0:3.2.1-18.redhat_7.1.ep6.el6
  • hibernate4-core-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el6
  • hibernate4-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el6
  • hibernate4-entitymanager-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el6
  • hibernate4-envers-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el6
  • hibernate4-infinispan-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el6
  • hornetq-0:2.3.25-7.SP6_redhat_1.1.ep6.el6
  • ironjacamar-common-api-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • ironjacamar-common-impl-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • ironjacamar-common-spi-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • ironjacamar-core-api-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • ironjacamar-core-impl-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • ironjacamar-deployers-common-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • ironjacamar-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • ironjacamar-jdbc-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • ironjacamar-spec-api-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • ironjacamar-validator-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el6
  • jboss-as-appclient-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-cli-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-client-all-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-clustering-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-cmp-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-configadmin-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-connector-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-console-0:2.5.11-1.Final_redhat_1.1.ep6.el6
  • jboss-as-controller-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-controller-client-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-core-security-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-deployment-repository-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-deployment-scanner-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-domain-http-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-domain-management-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-ee-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-ee-deployment-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-ejb3-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-embedded-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-host-controller-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jacorb-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jaxr-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jaxrs-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jdr-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jmx-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jpa-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jsf-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-jsr77-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-logging-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-mail-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-management-client-content-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-messaging-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-modcluster-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-naming-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-network-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-osgi-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-osgi-configadmin-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-osgi-service-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-picketlink-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-platform-mbean-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-pojo-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-process-controller-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-protocol-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-remoting-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-sar-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-security-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-server-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-system-jmx-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-threads-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-transactions-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-version-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-web-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-webservices-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-weld-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-as-xts-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jboss-ejb-client-0:1.0.32-1.Final_redhat_1.1.ep6.el6
  • jboss-hal-0:2.5.11-1.Final_redhat_1.1.ep6.el6
  • jboss-jsf-api_2.1_spec-0:2.1.28-5.SP1_redhat_1.1.ep6.el6
  • jboss-remoting3-0:3.3.6-1.Final_redhat_1.1.ep6.el6
  • jboss-security-negotiation-0:2.3.10-1.Final_redhat_1.1.ep6.el6
  • jboss-xnio-base-0:3.0.15-1.GA_redhat_1.1.ep6.el6
  • jbossas-appclient-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jbossas-bundles-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jbossas-core-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jbossas-domain-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jbossas-javadocs-0:7.5.5-3.Final_redhat_3.1.ep6.el6
  • jbossas-modules-eap-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jbossas-product-eap-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jbossas-standalone-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jbossas-welcome-content-eap-0:7.5.5-2.Final_redhat_3.1.ep6.el6
  • jbossweb-0:7.5.12-1.Final_redhat_1.1.ep6.el6
  • picketbox-0:4.1.2-1.Final_redhat_1.1.ep6.el6
  • apache-commons-collections-eap6-0:3.2.1-18.redhat_7.1.ep6.el7
  • hibernate4-core-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el7
  • hibernate4-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el7
  • hibernate4-entitymanager-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el7
  • hibernate4-envers-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el7
  • hibernate4-infinispan-eap6-0:4.2.21-1.Final_redhat_1.1.ep6.el7
  • hornetq-0:2.3.25-7.SP6_redhat_1.1.ep6.el7
  • ironjacamar-common-api-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • ironjacamar-common-impl-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • ironjacamar-common-spi-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • ironjacamar-core-api-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • ironjacamar-core-impl-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • ironjacamar-deployers-common-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • ironjacamar-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • ironjacamar-jdbc-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • ironjacamar-spec-api-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • ironjacamar-validator-eap6-0:1.0.34-1.Final_redhat_1.1.ep6.el7
  • jboss-as-appclient-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-cli-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-client-all-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-clustering-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-cmp-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-configadmin-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-connector-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-console-0:2.5.11-1.Final_redhat_1.1.ep6.el7
  • jboss-as-controller-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-controller-client-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-core-security-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-deployment-repository-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-deployment-scanner-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-domain-http-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-domain-management-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-ee-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-ee-deployment-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-ejb3-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-embedded-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-host-controller-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-jacorb-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-jaxr-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-jaxrs-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-jdr-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-jmx-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-jpa-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-jsf-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-jsr77-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-logging-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-mail-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-management-client-content-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-messaging-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-modcluster-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-naming-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-network-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-osgi-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-osgi-configadmin-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-osgi-service-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-picketlink-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-platform-mbean-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-pojo-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-process-controller-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-protocol-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-remoting-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-sar-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-security-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-server-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-system-jmx-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-threads-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-transactions-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-version-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-web-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-webservices-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-weld-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-as-xts-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jboss-ejb-client-0:1.0.32-1.Final_redhat_1.1.ep6.el7
  • jboss-hal-0:2.5.11-1.Final_redhat_1.1.ep6.el7
  • jboss-jsf-api_2.1_spec-0:2.1.28-5.SP1_redhat_1.1.ep6.el7
  • jboss-remoting3-0:3.3.6-1.Final_redhat_1.1.ep6.el7
  • jboss-security-negotiation-0:2.3.10-1.Final_redhat_1.1.ep6.el7
  • jboss-xnio-base-0:3.0.15-1.GA_redhat_1.1.ep6.el7
  • jbossas-appclient-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jbossas-bundles-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jbossas-core-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jbossas-domain-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jbossas-javadocs-0:7.5.5-3.Final_redhat_3.1.ep6.el7
  • jbossas-modules-eap-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jbossas-product-eap-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jbossas-standalone-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jbossas-welcome-content-eap-0:7.5.5-2.Final_redhat_3.1.ep6.el7
  • jbossweb-0:7.5.12-1.Final_redhat_1.1.ep6.el7
  • picketbox-0:4.1.2-1.Final_redhat_1.1.ep6.el7
  • jboss-ec2-eap-0:7.5.5-3.Final_redhat_3.ep6.el6
  • jboss-ec2-eap-samples-0:7.5.5-3.Final_redhat_3.ep6.el6
  • jakarta-commons-collections-0:3.2-2jpp.4
  • jakarta-commons-collections-debuginfo-0:3.2-2jpp.4
  • jakarta-commons-collections-javadoc-0:3.2-2jpp.4
  • jakarta-commons-collections-testframework-0:3.2-2jpp.4
  • jakarta-commons-collections-testframework-javadoc-0:3.2-2jpp.4
  • jakarta-commons-collections-tomcat5-0:3.2-2jpp.4
  • ImageMagick-debuginfo-0:6.7.2.7-5.el6_8
  • ImageMagick-devel-0:6.7.2.7-5.el6_8
  • ImageMagick-doc-0:6.7.2.7-5.el6_8
  • ImageMagick-perl-0:6.7.2.7-5.el6_8
  • activemq-0:5.9.0-6.redhat.611463.el6op
  • activemq-client-0:5.9.0-6.redhat.611463.el6op
  • jenkins-0:1.651.2-1.el6op
  • libcgroup-debuginfo-0:0.40.rc1-18.el6_8
  • libcgroup-pam-0:0.40.rc1-18.el6_8
  • openshift-origin-broker-0:1.16.3.2-1.el6op
  • openshift-origin-broker-util-0:1.37.6.2-1.el6op
  • openshift-origin-cartridge-cron-0:1.25.4.2-1.el6op
  • openshift-origin-cartridge-diy-0:1.26.2.2-1.el6op
  • openshift-origin-cartridge-haproxy-0:1.31.6.2-1.el6op
  • openshift-origin-cartridge-jbosseap-0:2.27.4.2-1.el6op
  • openshift-origin-cartridge-jbossews-0:1.35.5.2-1.el6op
  • openshift-origin-cartridge-jenkins-0:1.29.2.2-1.el6op
  • openshift-origin-cartridge-jenkins-client-0:1.26.1.1-1.el6op
  • openshift-origin-cartridge-mongodb-0:1.26.2.2-1.el6op
  • openshift-origin-cartridge-mysql-0:1.31.3.3-1.el6op
  • openshift-origin-cartridge-nodejs-0:1.33.1.2-1.el6op
  • openshift-origin-cartridge-perl-0:1.30.2.2-1.el6op
  • openshift-origin-cartridge-php-0:1.35.4.2-1.el6op
  • openshift-origin-cartridge-python-0:1.34.3.2-1.el6op
  • openshift-origin-cartridge-ruby-0:1.32.2.2-1.el6op
  • openshift-origin-msg-node-mcollective-0:1.30.2.2-1.el6op
  • openshift-origin-node-proxy-0:1.26.3.1-1.el6op
  • openshift-origin-node-util-0:1.38.7.1-1.el6op
  • rhc-0:1.38.7.1-1.el6op
  • rubygem-openshift-origin-admin-console-0:1.28.2.1-1.el6op
  • rubygem-openshift-origin-controller-0:1.38.6.4-1.el6op
  • rubygem-openshift-origin-frontend-haproxy-sni-proxy-0:0.5.2.1-1.el6op
  • rubygem-openshift-origin-msg-broker-mcollective-0:1.36.2.4-1.el6op
  • rubygem-openshift-origin-node-0:1.38.6.4-1.el6op
  • rubygem-openshift-origin-routing-daemon-0:0.26.6.1-1.el6op

Seebug

bulletinFamilyexploit
description漏洞详情: Red Hat JBoss Portal是美国红帽(RedHat)公司的一套开源且符合标准的门户平台。该平台可搭建、布局一个门户网站的Web界面,用于发布、管理内容以及定制用户体验。 Red Hat JBoss Portal 6.x版本中存在安全漏洞。攻击者可利用该漏洞绕过安全限制。 详情: apache commons-collections库的更新包,修复了一个安全问题,现在可供Red Hat JBoss Portal 6.2.0红帽客户门户。 Red Hat JBoss Portal的开源实现Java EE的服务和门户服务运行在Red Hat JBoss企业应用程序平台。 发现Apachecommons-collections库允许代码执行反序列化对象时涉及到一个特殊结构的的重链类。 远程攻击者可以利用这个漏洞执行任意代码使用commons-collections库与应用程序的权限。(cve - 2015 - 7501)进一步的信息安全漏洞可以在这个网站上找到: https://access.redhat.com/solutions/2045023
idSSV:89999
last seen2018-02-03
modified2015-12-04
published2015-12-04
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-89999
titleRed Hat JBoss Portal安全绕过漏洞

References