CVE-2015-7450
Published: 02 January 2016
Summary
CVE-2015-7450 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Ibm Tivoli Common Reporting. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2015-7450 is a deserialization vulnerability (CWE-502) affecting serialized-object interfaces in multiple IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products. The flaw stems from unsafe handling of Java serialized objects that leverage the InvokerTransformer class in the Apache Commons Collections library, enabling remote code execution when untrusted data is processed.
Remote attackers can exploit the issue over the network without authentication or user interaction by submitting a crafted serialized Java object. Successful exploitation grants arbitrary command execution with impacts equivalent to full confidentiality, integrity, and availability compromise, reflected in the CVSS 9.8 base score.
IBM has published multiple security advisories detailing affected products and recommended mitigations, available at the referenced support documents including swg21970575, swg21971342, swg21971376, swg21971733, and swg21971758.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2015-7374
Vulnerability details
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the attack by validating or rejecting untrusted serialized Java objects before they reach the InvokerTransformer deserialization path.
Requires prompt application of vendor patches that remove or safely replace the vulnerable Apache Commons Collections code in affected IBM products.
Restricts network exposure of the serialized-object interfaces so that unauthenticated remote attackers cannot reach them.