ePolicy Orchestrator (ePO) is packaged with Apache Commons Collections library version 3.2.1 (commons-collections-3.2.1.jar) which is vulnerable to insecure deserialization of data, which may result in arbitrary code execution.
CERT/CC Vulnerability Note VU#576313
The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. Java applications that either directly use ACC, or contain ACC in their classpath, may be vulnerable to arbitrary code execution.
Remediation
This issue is remediated with ePO 5.x Hotfix 1106041. These fixes will be included in the next ePO patch release.
- Users of ePO 4.6.x are recommended to upgrade to ePO 5.1.3 or 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
- Users of ePO 5.0.x and 5.1.x should upgrade to ePO 5.1.3 or 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
- Users of ePO 5.3.0 should upgrade to ePO 5.3.1 and then apply hotfix EPO5xHF1106041.zip.
Product
|
Type
|
File Name
|
Release Date
|
|---|---|---|---|
ePO 5.3.1
|
Hotfix
|
ePO5xHF1106041.zip
|
December 30, 2015
|
ePO 5.1.4
|
Patch
|
TBD
|
Q2 2016
|
ePO 5.1.3
|
Hotfix
|
ePO5xHF1106041.zip
|
December 30, 2015
|
Recommendation
Intel Security recommends that all customers verify that they have applied the latest updates. Impacted users should install the relevant patches or hotfixes. For full instructions and information, see the Knowledge Base article SB10144
See the ePolicy Orchestrator 5.x Hotfix 1106041 Release Notes for further details at:
No comments:
Post a Comment