Open Enterprise Server and the serialized JAVA InvokerTransformer exploit (CVE-2015-4852).

  • 7017024
  • 30-Nov-2015
  • 30-May-2016

Environment

Novell Open Enterprise Server 11 (OES 11)
Novell Open Enterprise Server 2015 (OES 2015)

Situation

Is Micro Focus Open Enterprise Server vulnerable to the Java InvokerTransformer function exploit.

The InvokerTransformer exploit (CVE-2015-4852) is exposed through the JAVA Common Connections libraries, of which a default Open Enterprise Server installation installs the following modules :
  • jakarta-commons-daemon
  • jakarta-commons-pool-tomcat5
  • jakarta-commons-dbcp-tomcat5
  • jakarta-commons-collections-tomcat5
  • jakarta-commons-logging

Resolution

On OES servers, the apache-common-collections may be present in the system and also in the class-path, which could be potentially vulnerable.
OES components have been identified not being vulnerable to the attack as exposed by the de-serialization vulnerability.

From a core SUSE Linux Enterprise Server 11 SP3 perspective, an update to address this vulnerability was released with jakarta-commons-collections-3.2.2-88.36.1.

Cause

Serialized JAVA InvokerTransformer exploit (CVE-2015-4852).

Feedback service temporarily unavailable. For content questions or problems, please contact Support.