Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2015-3253

Опубликовано: 16 июл. 2015
Источник: redhat
CVSS3: 9.6
CVSS2: 6.8

Описание

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.

Меры по смягчению последствий

Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java): public class MethodClosure extends Closure {

  • private Object readResolve() {
  • throw new UnsupportedOperationException();

} Alternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat BPM Suite 6groovy-allNot affected
Red Hat Enterprise Virtualization 3jasperreports-server-proAffected
Red Hat JBoss BRMS 5groovy-allWill not fix
Red Hat JBoss Enterprise Application Platform 5groovy-allWill not fix
Red Hat JBoss Enterprise Web Server 1fuseAffected
Red Hat JBoss Fuse Service Works 6groovy-allAffected
Red Hat JBoss Portal 6groovy-allAffected
Red Hat JBoss SOA Platform 4groovy-allWill not fix
Red Hat OpenShift Enterprise 2jenkinsWill not fix
Red Hat Enterprise Linux 7groovyFixedRHSA-2017:248617.08.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-502->CWE-284
https://bugzilla.redhat.com/show_bug.cgi?id=1243934groovy: remote execution of untrusted code in class MethodClosure

9.6 Critical

CVSS3

6.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2015-3253

CVSS3: 9.8
ubuntu
больше 10 лет назад

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

nvd логотип

CVE-2015-3253

CVSS3: 9.8
nvd
больше 10 лет назад

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

debian логотип

CVE-2015-3253

CVSS3: 9.8
debian
больше 10 лет назад

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy ...

github логотип

GHSA-qg25-hgjv-cg9q

CVSS3: 9.8
github
больше 3 лет назад

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Apache Groovy

9.6 Critical

CVSS3

6.8 Medium

CVSS2