CVE-2015-3253

Опубликовано: 13 авг. 2015

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Средний

Описание

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

Ссылки

http://groovy-lang.org/security.html
Vendor Advisory
http://packetstormsecurity.com/files/132714/Apache-Groovy-2.4.3-Code-Execution.html
Mitigation
Third Party Advisory
VDB Entry
http://rhn.redhat.com/errata/RHSA-2016-0066.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
Patch
Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Patch
Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securityfocus.com/archive/1/536012/100/0/threaded
http://www.securityfocus.com/bid/75919
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/91787
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1034815
http://www.zerodayinitiative.com/advisories/ZDI-15-365/
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2016:1376
https://access.redhat.com/errata/RHSA-2017:2486
https://access.redhat.com/errata/RHSA-2017:2596
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
https://lists.apache.org/thread.html/rbb8e16cc5acab183124572b655bdf5fe1d5b5f477dc267352426c7ed%40%3Cnotifications.shardingsphere.apache.org%3E
https://security.gentoo.org/glsa/201610-01

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:apache:groovy:1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.0:beta_2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.7.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.0:beta_2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.0:beta_3:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.0:beta_4:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.0:rc3:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.0:rc4:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.8.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.9.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.9.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.9.0:beta_3:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:1.9.0:beta_4:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.0:beta_2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.0:beta_3:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.0:rc4:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.0.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.0:rc3:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.1.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.2.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.2.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.2.0:beta_2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.2.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.2.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.2.0:rc3:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.2.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.2.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.0:beta_2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.0:rc3:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.3.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.0:beta_1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.0:beta_2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.0:beta_3:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.0:beta_4:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.0:rc1:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.0:rc2:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:groovy:2.4.3:*:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:a:oracle:health_sciences_clinical_development_center:3.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:health_sciences_clinical_development_center:3.1.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:4.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:5.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:5.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:13.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:13.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:13.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:14.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:13.2:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:14.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:retail_store_inventory_management:14.1:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:webcenter_sites:12.2.1:*:*:*:*:*:*:*

EPSS

Процентиль: 98%

0.66025

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-74

Связанные уязвимости

CVE-2015-3253

CVSS3: 9.8

ubuntu

больше 10 лет назад

CVE-2015-3253

CVSS3: 9.6

redhat

больше 10 лет назад

CVE-2015-3253

CVSS3: 9.8

debian

больше 10 лет назад

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy ...

GHSA-qg25-hgjv-cg9q

CVSS3: 9.8

github

больше 3 лет назад

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Apache Groovy

EPSS

Процентиль: 98%

0.66025

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-74