Privilege Escalation Vulnerability in Scala 2.x Compilation Daemo
Reporter | Title | Published | Views | Family All 14 |
---|---|---|---|---|
![]() | GLSA-201812-08 : Scala: Privilege escalation | 17 Dec 201800:00 | – | nessus |
![]() | CVE-2017-15288 | 15 Nov 201716:29 | – | osv |
![]() | High severity vulnerability that affects org.scala-lang:scala-compiler | 19 Oct 201816:51 | – | osv |
![]() | CVE-2017-15288 | 23 Nov 201715:19 | – | redhatcve |
![]() | CVE-2017-15288 | 15 Nov 201716:29 | – | cve |
![]() | CVE-2017-15288 | 15 Nov 201716:29 | – | debiancve |
![]() | High severity vulnerability that affects org.scala-lang:scala-compiler | 19 Oct 201816:51 | – | github |
![]() | CVE-2017-15288 | 15 Nov 201716:29 | – | nvd |
![]() | CVE-2017-15288 | 15 Nov 201700:00 | – | ubuntucve |
![]() | Design/Logic Flaw | 15 Nov 201716:29 | – | prion |
A privilege escalation vulnerability has been identified in the Scala compilation daemon.
The compile daemon is started explicitly by the `fsc` command, or implicitly by executing
a Scala source file as a script (e.g `scala MyScript.scala`). Note: Using the `scala`
command to start a REPL or to run a pre-compiled class does not start the compile daemon.
# Impact
While the compile daemon is running, an attacker with local access to the machine can
execute code as the user that started the compile daemon, and can write arbitrary
class files to any location on the filesystem that the user has access to.
# Affected Versions
- Scala 2.1.6-2.10.6; 2.11.0-2.11.11; 2.12.0-2.12.3
# Mitigation
- Use `scala -nocompdaemon MyScript.scala` rather than `scala MyScript.scala` to
disable the implicit startup and use of the daemon.
- Avoid explicitly starting `fsc`
- Upgrade to Scala 2.10.7 2.11.12, 2.12.4 or higher which restricts the sensitive file to be
readable only by the owner. These releases also change the location of the sensitive
file: it is written in the directory `$HOME/.scalac`.
Announcement: http://scala-lang.org/news/security-update-nov17.html
Scala Downloads: http://scala-lang.org/download/
# 0day.today [2018-03-19] #
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo