Deserialization vulnerability in the Apache commons-collections library

Adobe has become aware of a deserialization vulnerability in the Apache commons-collections library. The vulnerability can lead to Remote Code Execution and impacts customers using Oracle WebLogic, IBM WebSphere, and Red Hat JBoss application servers.

Perform the following steps to fix the vulnerability:

Install security fixes for your application server:

The following table lists the Security Alerts or Advisories that Oracle, IBM, and Red Hat have released for the vulnerability.

Application Server	Security Alert or Advisory
Oracle WebLogic	http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html?evite=WWSU12091612MPP001
IBM WebSphere	http://www-01.ibm.com/support/docview.wss?uid=swg21970575
Red Hat JBoss	https://access.redhat.com/solutions/2045023

Customers using these technologies are advised to obtain the security fixes directly from the application server vendors, and apply them as recommended. Customers using the JBoss turnkey, and not having a support contract with Red Hat, can contact Adobe enterprise support to obtain JBoss patches when the patches are made available by Red Hat.

Download and install the hotfix-NPR-8364:
1. Log in to the AEM instance as an administrator and open the package share. The default URL of the package share is http://[server]:[port]/crx/packageshare.
2. In package share, search CQ-ALL-hotfix-NPR-8364, click the package, and click Download. Read and accept the license agreement and click OK. The download starts. Once downloaded, the word Downloaded appears next to the package.
  
  Alternately, you can also use the hyperlink http://t.info.adobesystems.com/r/?id=hb5e38e83,33b182ff,33b688fb to manually download a package.
3. After the download completes, click Downloaded. You are redirected to package manager. In the package manager, search the downloaded package, and click Install.
  
  If you manually download the package via direct link, open the package manager, click Upload Package, select the downloaded package, and click upload. After the package is uploaded, click the package name, and click Install. The default URL of the Package Manager is http://[server]:[port]/lc/crx/packmgr/index.jsp.
4. After the package is installed, open the http://[host]:[port]/lc/libs/cq/sercheck/run/tester.htmlURL in the browser window, and download the notsoserial-[version].jar.
  
  Copy the downloaded notsoserial-[version].jar file to the server which has AEM forms deployed.
  
  Note:
  Ensure that the user running the application server has permissions to read and write to the server directory containing downloaded jar file.
5. Add the following JVM argument to the application server startup script:
  
  -javaagent:[path]/notsoserial-[version]
  
  [path] is the location on the server containing the notsoserial-[version].jar file.
6. Restart the application server.
7. Open the http://[host]:[port]/lc/libs/cq/sercheck/run/tester.html URL in a browser window. Ensure that the Serialization Test Results are set to OK.

If you are using Adobe Experience Manager forms document security add-on or LiveCycle Rights Management, then install the applicable quick fix:

Product Version	Quick Fix
Adobe Experience Manager 6.1 forms feature pack 1	Quick Fix 1034-010 Quick Fix 1048-010 Quick Fix 1049-011
Adobe Experience Manager 6.0 forms	Quick Fix 1020-005
LiveCycle ES4 SP1	Quick Fix 1126-016 Quick Fix 1134-011 Quick Fix 1137-011 Quick Fix 1141-043
LiveCycle ES3 SP2	Quick Fix 1058-012

Legal Notices | Online Privacy Policy

Deserialization vulnerability in the Apache commons-collections library

Ask the Community

Contact Us