Apache Commons Collections Java Deserialization RCE
CVE-2015-7501 is a remote code execution vulnerability affecting numerous Red Hat products that bundled or exposed vulnerable Apache Commons Collections functionality during Java deserialization. The issue arises when attacker-controlled serialized Java objects are deserialized and a gadget chain from the Apache Commons Collections library is available, allowing execution of arbitrary commands. The provided content specifically identifies affected Red Hat offerings including JBoss A-MQ 6.x, BPMS 6.x, BRMS 5.x/6.x, JDG 6.x, JDV 5.x/6.x, JBoss EAP 4.3.x/5.x/6.x, Fuse 6.x, FSW 6.x, JBoss ON 3.x, Portal 6.x, SOA-P 5.x, JWS 3.x, OpenShift/xPAAS 3.x, and Red Hat Subscription Asset Manager 1.3. The vulnerability is related to the Apache Commons Collections library and exploitation is performed via a crafted serialized Java object.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a comprehensive Java deserialization exploitation lab, containing multiple proof-of-concept (PoC) exploits and a vulnerable HTTP server for testing. The code samples demonstrate how to craft malicious serialized Java objects (both binary and XML) that exploit gadget chains in Apache Commons Collections (<= 3.2.1) and Java's own classes to achieve arbitrary code execution upon deserialization. Key files include: - `VulnerableHTTPServer.java`: A test server that accepts serialized objects via HTTP POST, cookies, or XML, and deserializes them, simulating real-world vulnerable applications. - `ExampleCommonsCollections1.java`, `ExampleTransformersWithLazyMap.java`, `ReverseShellCommonsCollectionsHashMap.java`, and `reverseShellMultiplatformCommonsCollections.xml`: These files generate payloads that, when deserialized, execute arbitrary commands or establish a reverse shell by loading a remote class from an attacker-controlled server. - `DnsWithCommonsCollections.java`: Generates a payload that triggers an HTTP/DNS request to an attacker-controlled domain, useful for blind exploitation validation. - `ExploitGadgetExample1.java`, `ForgottenClass.java`, and `SomeInvocationHandler.java`: Demonstrate custom gadget chains and the use of Java reflection and proxies to hijack execution flow during deserialization. - `TestSerialize.java` and `TestDeserialize.java`: Simple serialization/deserialization demos. The repository targets Java applications that deserialize untrusted data, especially those with vulnerable versions of Apache Commons Collections in the classpath. It includes PoCs for CVE-2017-7504 and CVE-2017-12149 (affecting JBoss products), and demonstrates both local and remote (network) attack vectors. The payloads can be delivered via HTTP POST, cookies, or XML, and can result in arbitrary command execution or reverse shells. Several endpoints and file paths are fingerprintable, including remote JAR URLs and files created on the target system as a result of exploitation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Vulnerability referenced by HPE as affecting HPE Telco Universal SLA Management <=4.6; specific technical details not provided in the bulletin excerpt.
A specific vulnerability in JBoss Application Server that the report hypothesizes was used to compromise legitimate websites hosting JBoss and support malware delivery in the Bassos campaign.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.