search cancel

Commons-collections serialization Security Advisory [07 Dec 2015] -- CVE-2015-7501

book

Article ID: 42465

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Problem:

It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

CA Technologies has been reviewing the vulnerability against our product suite to ensure that we understand the complete coverage that this issue may extend to. Based on our findings we have determined that this patch will include the changes necessary to address this issue.

 

Environment: 

Product(s) affected: CA API Gateway / Firewall / API Proxy / Mobile Access Gateway / CA API Developer Portal

Version(s): All versions

Resolution:

The remediation for this vulnerability is included in this file: (links updated 11-10-2016)

CVE-2015-7501_post8.0.L7P (for API Gateway version 8.0 and higher, and for CA API Developer Portal)

CVE-2015-7501_pre8.0.L7P (for API Gateway version 7.x)

Note: Please be aware that any Release or Service Pack upgrade may require you to re-install this Patch. Please contact Support for more information.

Additional Information:

US-CERT/NIST has issued a security advisory, CVE-2015-7501

https://access.redhat.com/security/cve/cve-2015-7501 

 

 

Environment

Release: L7SMG299000-7.1-Mobile API Gateway-HARDWARE APPLIANCE DUAL CPU
Component: