Unsafe Object Deserialization Vulnerability in Apache Commons Collections (CVE-2015-6420)

  • 7022774
  • 24-Mar-2018
  • 26-Mar-2018

Environment

Verastream Host Integrator version 7.7.34 and earlier
Verastream Process Designer R6 and earlier

Situation

Apache Commons Collections (ACC) library version 3.2.1 contains a vulnerability that allows a remote attacker to execute arbitrary code on an unpatched machine that uses JMX.

Resolution

  • Beginning in VHI 7.7 SP1 (version 7.7.1031 or 7.7.1.1031, released March 2018), the updated ACC module is included. Product updates are available to maintained customers from the Downloads website.
  • For VPD or an older installation of VHI, update ACC to version 3.2.2 as described in KB 7021301.
  • Also, to mitigate this vulnerability, ensure that firewalls are configured to allow connections only from remote clients that specifically require such access. This includes JMX management and configuration ports 33000 and 33001 (for VHI; see also KB 7021229) and port 34000 (for VPD).

Status

Security Alert

Additional Information