Environment
Novell Open Enterprise Server 11 (OES 11)
Novell Open Enterprise Server 2015 (OES 2015)
Novell Open Enterprise Server 2015 (OES 2015)
Situation
Is Micro Focus Open Enterprise Server vulnerable to the Java InvokerTransformer function exploit.
The InvokerTransformer exploit (CVE-2015-4852) is exposed through the JAVA Common Connections libraries, of which a default Open Enterprise Server installation installs the following modules :
The InvokerTransformer exploit (CVE-2015-4852) is exposed through the JAVA Common Connections libraries, of which a default Open Enterprise Server installation installs the following modules :
- jakarta-commons-daemon
- jakarta-commons-pool-tomcat5
- jakarta-commons-dbcp-tomcat5
- jakarta-commons-collections-tomcat5
- jakarta-commons-logging
Resolution
On OES servers, the apache-common-collections may be present in the system and also in the class-path, which could be potentially vulnerable.
OES components have been identified not being vulnerable to the attack as exposed by the de-serialization vulnerability.
From a core SUSE Linux Enterprise Server 11 SP3 perspective, an update to address this vulnerability was released with jakarta-commons-collections-3.2.2-88.36.1.
OES components have been identified not being vulnerable to the attack as exposed by the de-serialization vulnerability.
From a core SUSE Linux Enterprise Server 11 SP3 perspective, an update to address this vulnerability was released with jakarta-commons-collections-3.2.2-88.36.1.
Cause
Serialized JAVA InvokerTransformer exploit (CVE-2015-4852).