Open Enterprise Server and the serialized JAVA InvokerTransformer exploit (CVE-2015-4852).

  • 7017024
  • 30-Nov-2015
  • 30-May-2016


Novell Open Enterprise Server 11 (OES 11)
Novell Open Enterprise Server 2015 (OES 2015)


Is Micro Focus Open Enterprise Server vulnerable to the Java InvokerTransformer function exploit.

The InvokerTransformer exploit (CVE-2015-4852) is exposed through the JAVA Common Connections libraries, of which a default Open Enterprise Server installation installs the following modules :
  • jakarta-commons-daemon
  • jakarta-commons-pool-tomcat5
  • jakarta-commons-dbcp-tomcat5
  • jakarta-commons-collections-tomcat5
  • jakarta-commons-logging


On OES servers, the apache-common-collections may be present in the system and also in the class-path, which could be potentially vulnerable.
OES components have been identified not being vulnerable to the attack as exposed by the de-serialization vulnerability.

From a core SUSE Linux Enterprise Server 11 SP3 perspective, an update to address this vulnerability was released with jakarta-commons-collections-3.2.2-88.36.1.


Serialized JAVA InvokerTransformer exploit (CVE-2015-4852).