(UPDATED) Vulnerability in Apache Commons Collections Could Allow Arbitrary Code Execution

ITS Advisory Number: 
2015-157 (UPDATED)
Date(s) Issued: 
Wednesday, December 16, 2015
Date Updated: 
Tuesday, May 10, 2016
Subject: 
(UPDATED) Vulnerability in Apache Commons Collections Could Allow Arbitrary Code Execution
Overview: 

A vulnerability has been discovered in Apache Commons Collections which could allow for remote code execution. Apache Commons Collections are a set of implementations, interfaces, and utilities to expand on the functionality of the Java Development Kit (JDK) classes. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the application account and allow for the execution of arbitrary code.

December 22 - UPDATED OVERVIEW:

Additional vulnerabilities have been reported in VMware products that could allow for remote code execution.

March 22 - UPDATED OVERVIEW:

Additional vulnerabilities have been reported in HP Service Manager which could allow for remote code execution.

March 28 - UPDATED OVERVIEW:

Additional vulnerabilities have been reported in McAfee ePolicy Orchestrator which could allow for arbitrary code execution.

May 10 - UPDATED OVERVIEW:

Additional vulnerabilities have been reported in Red Hat JBoss Operations Network which could allow for remote code execution. Red Hat JBoss Operations Network is a product designed to provide solutions to manage JBoss Enterprise Middleware, applications and services.

Systems Affected: 

The following vendors have been found to have products affected by this vulnerability:

December 22 - UPDATED SYSTEMS AFFECTED:

March 22 - UPDATED SYSTEMS AFFECTED:

  • HP Service Manager 9.30 - HP Service Manager 9.41

March 28 - UPDATED SYSTEMS AFFECTED:

  • McAfee ePolicy Orchestrator
    • Prior to version 4.6.9
    • Prior to version 5.1.3
    • Prior to version 5.3.1

May 10 - UPDATED SYSTEM AFFECTED:

  • Red Hat JBoss Operations Network
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

A vulnerability has been discovered in the Apache Commons Collections' InvokeTransformer class that when used together with an endpoint that accepts serializable objects can cause remote code execution. This vulnerability could be exploited by de-serializing a specially crafted Java object to execute a payload of arbitrary code on the affected system.

Successful exploitation could result in an attacker gaining the same privileges as the process on the system. Depending on the privileges associated with the process, an attacker could perform actions such as install programs; view, change, or delete data; or create new accounts with full user rights, dependent on the vulnerable application.

December 22 - UPDATED DESCRIPTION

Multiple VMware Products are prone to a remote code-execution vulnerability because they fail to properly perform the deserialization on input Java objects. Successful exploit could allow execution of arbitrary commands via a crafted serialized Java object. Exploitation of the issue on vRealize Operations and vCenter Operations is limited to local privilege escalation.

There are currently patches available for vRealize Orchestrator 6.x and vCenter Orchestrator 5.x. Patches for vRealize Operations 6.x, vCenter Operations 5.x, and vCenter Application Discovery Manager are awaiting release.

March 22 - UPDATED DESCRIPTION

HP Service Manager is vulnerable to a remote code execution vulnerability. Specifically, this issue occurs because it fails to properly perform deserialization on input Java objects. HP Service Manager is an IT helpdesk application available for multiple platforms.

Successful exploitation of this vulnerability would result in remote code being run within the context of the affected application. Updates are available which mitigate this vulnerability.

March 28 - UPDATED DESCRIPTION

McAfee ePolicy Orchestrator is vulnerable to an arbitrary code execution vulnerability. Specifically, this issue occurs because it fails to properly perform deserialization on input Java objects. McAfee ePolicy Orchestrator (ePO) is a product designed to remotely manage various policies and antivirus products.

Successful exploitation of this vulnerability would result in arbitrary code being run within the context of the affected application. Updates are available which mitigate this vulnerability.

May 10 - UPDATED DESCRIPTION

Red Hat JBoss Operations Network is vulnerable to a remote code execution vulnerability. Specifically, this issue occurs because it fails to properly perform deserialization on input Java objects. 

Actions: 
  • After appropriate testing apply vendor-specific updates once they become available.
  • Verify no unauthorized system modifications have occurred on the system before applying patches.
  • Monitor intrusion detection systems for any signs of anomalous activity.