Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4319 Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450) 15 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Application Server KnowledgeCenter Publisher: IBM Operating System: AIX HP-UX IBM i Linux variants Solaris Windows z/OS Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-7450 Reference: ASB-2015.0108.2 ESB-2018.1786.2 ESB-2016.0259 ESB-2016.0071 Original Bulletin: https://www.ibm.com/support/pages/node/1107105 - --------------------------BEGIN INCLUDED TEXT-------------------- Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450) Security Bulletin Summary The Knowledge Center Component used in Version 9 of the WebSphere Application Server needs an updated Apache Commons Collections library. Vulnerability Details CVEID: CVE-2015-7450 DESCRIPTION: Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library. CVSS Base score: 9.8 CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +----------------------------+----------+ |Affected Product(s) |Version(s)| +----------------------------+----------+ |WebSphere Application Server|9.0 | +----------------------------+----------+ Remediation/Fixes For IBM WebSphere Application Server: For V9.0.0.0 through 9.0.5.1: Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH16353 - -- OR Apply Fix Pack 9.0.5.2 or later (targeted availability 4Q2019). Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXc4c/maOgq3Tt24GAQiCaRAAz2N5psIhmob5tvVa7Aczmus8gfWVbjmL MGFGS5Pe86kQBCY70NXQZ2DpxNb92Lg5H5ZGxOAU8e6X/lPexCaYk5KOwpNYzxgn sqxgJTAB9Lu8vOZIwfHEqXO3AAuj4nYe9JM9AIxSC7VMB1DH0VIQMjwZ4s6srEhT dhg2Lyj6n35+lAyUKCKo18Uc6CMdCg1ik0jmmhBNsBdf1wJ2mPMCH85UyNwiDxJs req1hH0I1ZrsuwssFZNW+ZUNFftdgK6nS0Fki7HUJiTidRpvtbXVry8+GwSriDWb 7u17fO+BGEhBudxMZYalymo3VFHwE6qBeftUlfZe2FLEOemWzLfy5Wne+XydNL9i 74HQ+QG1q93wdJp1Z1+TMHO1dzp6Rr+uYSED13L7S0ZRiIv9Pm+Phmduq7DpA6E+ T8i+V3ukqHW6PZdejwW6tjN2utBMHweL9ThM7nNdaAHtX0abOsw66l86Ry4YxC9y nU3ugEMVoVWr8nbtr3yStSVhFA4PNlpktiKIoGCaU3zl7jiIy0MRYZNnGhsLkYjr ddQC/b2pfwl65tBSNKJjsRoR0rpqo6Y9+mPzBpbPQ05SX/Y/Oz8JXNutKjVRm/47 i3vdq5h/mYPBvi7vzUZO9+/DN0hBEXaJfTp+Q4K+NoFclbX0v5zZMFwkpVvhgy3s 1RjkVFxTHsY= =b6kh -----END PGP SIGNATURE-----