Cisco Information for VU#576313

Apache Commons Collections Java library insecurely deserializes data

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco has released a security advisory and list of affected products at the URL below. Cisco has assigned CVE-2015-6420 to this issue.

Vendor References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

Addendum

As of 2017-07-18, CERT/CC is aware of a report that Cisco Unity Express (CUE) 8.6.1 is still vulnerable to this issue and is incorrectly identified as "not vulnerable" in the above Cisco advisory. We have reached out to Cisco for clarification.

If you have feedback, comments, or additional information about this vulnerability, please send us email.