Security scan on sql_server_2019_express_x64_ENU.exe identified a vulnerability CVE-2015-7501

D K, Harini 1 Reputation point
2021-11-24T07:49:43.55+00:00

CVE-2015-7501 description: Apache Commons Collections 3.2.1v has a security flaw in the InvokeTransformer class whereby serializable collections can be built that execute arbitrary Java code.

To mitigate this vulnerability we need to upgrade the Apache Commons Collections from 3.2.1v to 3.2.2v which has security fix for this.

Path within file matching detected library:
/Program Files/Microsoft SQL Server/150/DTS/Extensions/Common/Jars/commons-collections-3.2.1.jar

Steps to Reproduce: - Run a security scan using security scanning tool.

Please let me know if there is any patch present for SQL Server 2019 express which has a fix for this vulnerability.

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
12,713 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. CathyJi-MSFT 21,091 Reputation points Microsoft Vendor
    2021-11-24T07:59:39.817+00:00

    Hi @D K, Harini ,

    Please apply the latest CU14 for SQL server 2019 Express, this update contains all fixes that were released after the initial release of SQL Server 2019. If it is not work, please feel free to let us know.

    Cumulative Update Package 14 for SQL Server 2019 - KB5007182

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1 person found this answer helpful.
    0 comments
  2. Brian Bequette 6 Reputation points
    2022-11-23T13:52:12.943+00:00

    This CU14 release does NOT resolve the Commons-Collections 3.2.1 vulnerability.

    Path for this vulnerability is found in:

    C:\Program Files (x86)\Microsoft SQL Server Management Studio 19\Common7\IDE\CommonExtensions\Microsoft\SSIS\160\Extensions\Common\Jars

    1 person found this answer helpful.