Description

An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere Application Server and WebSphere Application Server Hypervisor Edition. This vulnerability does not affect the IBM HTTP Server or versions of WebSphere Application Server prior to Version 7.0. A remote attacker can execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.

Remediation

Upgrade to the latest version of IBM WebSphere.

References

Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)

Related Vulnerabilities

WordPress 6.0.x Shortcode Execution (6.0 - 6.0.4)

Drupal Core 7.x Remote Code Execution (7.0 - 7.58)

SonicWall SSL-VPN 8.0.0.0 RCE via ShellShock exploit

WordPress Plugin MailPress Remote Code Execution (7.0.2)

Drupal Core 9.0.x Remote Code Execution (9.0.0 - 9.0.7)

Severity

High

Classification

CVE-2015-7450 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor Insecure Deserialization