CVE-2015-7450
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.
Analysis
Multiple IBM products are vulnerable to Java deserialization attacks via the Apache Commons Collections InvokerTransformer class, allowing unauthenticated remote code execution through serialized-object interfaces.
Technical Context
The CWE-502 deserialization vulnerability exploits the InvokerTransformer class in Apache Commons Collections, which allows arbitrary method invocation during object deserialization. When IBM products expose Java serialization endpoints (JMX, RMI, custom protocols), attackers can send crafted serialized payloads to execute OS commands.
Affected Products
['Multiple IBM analytics products', 'IBM business solutions', 'IBM cognitive products', 'IBM IT infrastructure products', 'IBM mobile and social products']
Remediation
Apply IBM security patches. Update Apache Commons Collections to 3.2.2+ or 4.1+ which disable InvokerTransformer by default. Use serialization filters (JEP 290) on Java 9+ to restrict deserializable classes.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today