Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4319
Security Bulletin: Apache Commons Collections library in WebSphere
Application Server Knowledge Center is vulnerable (CVE-2015-7450)
15 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Application Server KnowledgeCenter
Publisher: IBM
Operating System: AIX
HP-UX
IBM i
Linux variants
Solaris
Windows
z/OS
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-7450
Reference: ASB-2015.0108.2
ESB-2018.1786.2
ESB-2016.0259
ESB-2016.0071
Original Bulletin:
https://www.ibm.com/support/pages/node/1107105
- --------------------------BEGIN INCLUDED TEXT--------------------
Apache Commons Collections library in WebSphere Application Server Knowledge
Center is vulnerable (CVE-2015-7450)
Security Bulletin
Summary
The Knowledge Center Component used in Version 9 of the WebSphere Application
Server needs an updated Apache Commons Collections library.
Vulnerability Details
CVEID: CVE-2015-7450
DESCRIPTION: Serialized-object interfaces in certain IBM analytics, business
solutions, cognitive, IT infrastructure, and mobile and social products allow
remote attackers to execute arbitrary commands via a crafted serialized Java
object, related to the InvokerTransformer class in the Apache Commons
Collections library.
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+----------------------------+----------+
|Affected Product(s) |Version(s)|
+----------------------------+----------+
|WebSphere Application Server|9.0 |
+----------------------------+----------+
Remediation/Fixes
For IBM WebSphere Application Server:
For V9.0.0.0 through 9.0.5.1:
Upgrade to minimal fix pack levels as required by interim fix and then
apply Interim Fix PH16353
- -- OR
Apply Fix Pack 9.0.5.2 or later (targeted availability 4Q2019).
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXc4c/maOgq3Tt24GAQiCaRAAz2N5psIhmob5tvVa7Aczmus8gfWVbjmL
MGFGS5Pe86kQBCY70NXQZ2DpxNb92Lg5H5ZGxOAU8e6X/lPexCaYk5KOwpNYzxgn
sqxgJTAB9Lu8vOZIwfHEqXO3AAuj4nYe9JM9AIxSC7VMB1DH0VIQMjwZ4s6srEhT
dhg2Lyj6n35+lAyUKCKo18Uc6CMdCg1ik0jmmhBNsBdf1wJ2mPMCH85UyNwiDxJs
req1hH0I1ZrsuwssFZNW+ZUNFftdgK6nS0Fki7HUJiTidRpvtbXVry8+GwSriDWb
7u17fO+BGEhBudxMZYalymo3VFHwE6qBeftUlfZe2FLEOemWzLfy5Wne+XydNL9i
74HQ+QG1q93wdJp1Z1+TMHO1dzp6Rr+uYSED13L7S0ZRiIv9Pm+Phmduq7DpA6E+
T8i+V3ukqHW6PZdejwW6tjN2utBMHweL9ThM7nNdaAHtX0abOsw66l86Ry4YxC9y
nU3ugEMVoVWr8nbtr3yStSVhFA4PNlpktiKIoGCaU3zl7jiIy0MRYZNnGhsLkYjr
ddQC/b2pfwl65tBSNKJjsRoR0rpqo6Y9+mPzBpbPQ05SX/Y/Oz8JXNutKjVRm/47
i3vdq5h/mYPBvi7vzUZO9+/DN0hBEXaJfTp+Q4K+NoFclbX0v5zZMFwkpVvhgy3s
1RjkVFxTHsY=
=b6kh
-----END PGP SIGNATURE-----