IBM Support

JR54719: UPDATE APACHE COMMOMS COLLECTIONS VERSION TO 3.2.2 TO ADDRESS SECURITY VULNERABILITY CVE-2015-7450

Fixes are available

Download ISF roll-up 6 for InfoSphere Information Server Version 11.3.1.2
Download ISF roll-up 7 for InfoSphere Information Server Version 11.3.1.2
Download ISF roll-up 8 for InfoSphere Information Server Version 11.3.1.2
IBM InfoSphere Information Server, Version 11.5.0.1 (Fix Pack 1)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Apache Commons Collections could allow a remote attacker to
execute arbitrary code on the system, caused by the
deserialization of data with Java InvokerTransformer class. By
sending specially crafted data, an attacker could exploit this
vulnerability to execute arbitrary Java code on the system.

Local fix

  • 



Problem summary


    

  • ****************************************************************
USERS AFFECTED:
Users of Business Glossary, Metadata Workbench, Information
Governance Catalog and FastTrack in various release streams
****************************************************************
PROBLEM DESCRIPTION:
Apache Commons Collections could allow a remote attacker to
execute arbitrary code on the system, caused by the
deserialization of data with Java InvokerTransformer class. By
sending specially crafted data, an attacker could exploit this
vulnerability to execute arbitrary Java code on the system.
****************************************************************
RECOMMENDATION:
Refer to Security bulletin
http://www-01.ibm.com/support/docview.wss?uid=swg21971410 for
actions to perform.
CAVEAT: If you need to upgrade an 11.3.x.x system to 11.5.0.0,
you must first uninstall this patch. After completing the
upgrade, apply the 11.5 versions of this patch. If you cannot
uninstall JR54719 because it is not the last installed patch,
you can use patch_rollbackJR54719_ISF_all_11300-12 to roll it
back and then do the upgrade followed by re-installing JR54719.
****************************************************************

    



Problem conclusion


    

  • Upgrade Apache Commons Collections to v3.2.2

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR54719
    • 

  • Reported component name
    INFO SRVR PLATF
    • 

  • Reported component ID
    5724Q3612
    • 

  • Reported release
    B31
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-11-13
    • 

  • Closed date
    2015-12-01
    • 

  • Last modified date
    2016-01-22
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    INFO SRVR PLATF
    • 

  • Fixed component ID
    5724Q3612
    • 



Applicable component levels


    

  • R850  PSY
       UP
    • 

  • R870  PSY
       UP
    • 

  • R912  PSY
       UP
    • 

  • RB31  PSY
       UP
    • 

  • RB50  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"InfoSphere Information Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.3","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            13 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback