Apache Groovy 2.4.x Disclosure Vulnerabilities

*Severity*: Important

*Vendor*: The Apache Software Foundation

*Versions Affected*:

All unsupported versions ranging from 1.7.0 to 2.4.3.

*Impact*

Remote execution of untrusted code, DoS

Here you can find information about security patches or updates released for Apache Groovy. Note that unless specified otherwise, no binary or source patches are available. To obtain a security fix, you need to upgrade to the latest maintained version of Apache Groovy.

Releases prior to 2.4.4 were not released under Apache so no official patches for security updates are available for older versions.

    Groovy 2.4.x vulnerabilities
    Fixed in Groovy 2.4.4

    Important: CVE-2015-3253: Remote execution of untrusted code

    Description

    When an application has Groovy on the classpath and that it uses standard Java serialization mechanim to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.

    Mitigation

    Apache Groovy 2.4.4 is the first and only supported release under the Apache Software Foundation. It is strongly recommended that all users using serialization upgrade to this version. If you cannot upgrade or rely on an older, unsupported version of Groovy, you can apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):

     public class MethodClosure extends Closure {
    +    private Object readResolve() {
    +        throw new UnsupportedOperationException();
    +    }

    Alternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.


#  0day.today [2018-03-28]  #