CVE-2015-7501
Code Execution vulnerability in commons-collections (Maven)
What is CVE-2015-7501 About?
This vulnerability in the Apache commons-collections library allows for arbitrary code execution during object deserialization due to a specially constructed chain of classes. A remote attacker can exploit this to execute code with the permissions of the application utilizing the library. This is a critical remote code execution flaw that is relatively easy to exploit once the serialization vector is identified.
Affected Software
- commons-collections:commons-collections
- <3.2.2
- org.apache.commons:commons-collections4
- <4.1
- org.apache.servicemix.bundles:org.apache.servicemix.bundles.commons-collections
- >=3.2.1
- org.apache.servicemix.bundles:org.apache.servicemix.bundles.collections-generic
- >=4.01
Technical Details
The Apache commons-collections library was found to permit code execution when deserializing objects involving a specially constructed chain of classes. This vulnerability, often referred to as a deserialization vulnerability, arises when an application deserializes untrusted data without proper validation. An attacker can craft a serialized object that, when deserialized by an application using the vulnerable commons-collections library, triggers a chain of method calls leading to arbitrary code execution. This typically leverages the 'InvokerTransformer' within the library to call arbitrary methods and execute commands on the underlying system, with the privileges of the application processing the serialized data.
What is the Impact of CVE-2015-7501?
Successful exploitation may allow attackers to execute arbitrary code on the server, gain full control over the affected system, or compromise sensitive data.
What is the Exploitability of CVE-2015-7501?
Exploiting this vulnerability involves crafting a malicious serialized object, which is of moderate complexity once the 'gadget chain' is understood. No authentication is typically required if the application exposes a deserialization endpoint, such as through RMI or another similar protocol. The attack can be remote, as the attacker simply needs to send the specially crafted serialized payload to the vulnerable application. The primary constraint is the application's reliance on deserialization for untrusted inputs. Any application processing serialized data with the vulnerable commons-collections library is at high risk, especially without strict whitelisting of classes allowed during deserialization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| ianxtianxt | Link | (CVE-2015-7501)JBoss JMXInvokerServlet 反序列化漏洞 |
What are the Available Fixes for CVE-2015-7501?
Available Upgrade Options
- commons-collections:commons-collections
- <3.2.2 → Upgrade to 3.2.2
- org.apache.commons:commons-collections4
- <4.1 → Upgrade to 4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.securitytracker.com/id/1037052
- https://bugzilla.redhat.com/show_bug.cgi?id=1279330
- https://arxiv.org/pdf/2306.05534.pdf
- http://rhn.redhat.com/errata/RHSA-2015-2670.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://access.redhat.com/solutions/2045023
- https://security.netapp.com/advisory/ntap-20240216-0010/
- http://rhn.redhat.com/errata/RHSA-2016-1773.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501
What are Similar Vulnerabilities to CVE-2015-7501?
Similar Vulnerabilities: CVE-2017-1000109 , CVE-2019-17558 , CVE-2020-13936 , CVE-2020-17521 , CVE-2021-44228
