It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.
CA Technologies has been reviewing the vulnerability against our product suite to ensure that we understand the complete coverage that this issue may extend to. Based on our findings we have determined that this patch will include the changes necessary to address this issue.
Product(s) affected: CA API Gateway / Firewall / API Proxy / Mobile Access Gateway / CA API Developer Portal
Version(s): All versions
The remediation for this vulnerability is included in this file: (links updated 11-10-2016)
CVE-2015-7501_post8.0.L7P (for API Gateway version 8.0 and higher, and for CA API Developer Portal)
CVE-2015-7501_pre8.0.L7P (for API Gateway version 7.x)
Note: Please be aware that any Release or Service Pack upgrade may require you to re-install this Patch. Please contact Support for more information.
US-CERT/NIST has issued a security advisory, CVE-2015-7501