Description

An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere Application Server and WebSphere Application Server Hypervisor Edition. This vulnerability does not affect the IBM HTTP Server or versions of WebSphere Application Server prior to Version 7.0. A remote attacker can execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.

Remediation

Upgrade to the latest version of IBM WebSphere.

References

Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)

Related Vulnerabilities

Gallery 3.0.4 remote code execution

WordPress Plugin Five Star Restaurant Menu-WordPress Ordering Remote Code Execution (2.2.0)

Drupal Core 8.4.x Remote Code Execution (8.4.0 - 8.4.7)

Oracle Business Intelligence AMF Deserialization RCE CVE-2020-2950

Multiple vulnerabilities reported in Parallels Plesk Sitebuilder

Severity

High

Classification

CVE-2015-7450 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor Insecure Deserialization