Issued:
2015-11-20
Updated:
2015-11-20

RHSA-2015:2502 - Critical: Red Hat JBoss Data Grid 6.4.1 and 6.5.1 commons-collections security update

Synopsis

Critical: Red Hat JBoss Data Grid 6.4.1 and 6.5.1 commons-collections security update

Type/Severity

Security Advisory Critical

Topic

An updated package for the apache commons-collections library, fixing one security issue, is now available for Red Hat JBoss Data Grid 6.4.1 and 6.5.1 from the Red Hat Customer Portal.

Red Hat Product Security has rated this update as having Critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Description

Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan.

It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library. (CVE-2015-7501)

Further information about this security flaw may be found at: https://access.redhat.com/solutions/2045023

All users of Red Hat JBoss Data Grid 6.4.1 and 6.5.1 as provided from the Red Hat Customer Portal are advised to install this security patch.

Solution

The References section of this erratum contains a download link (you must log in to download the update). Before applying this update, back up your existing JBoss Data Grid installation.

Affected Products

ProductVersionArch
Red Hat JBoss Data GridText-Only Advisoriesx86_64

Fixes

CVEs

References

Additional information