Vulnerability CVE-2015-3253

Vulnerability CVE-2015-3253

Published: 2015-08-13

Description:

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

See advisories in our WLB2 database:

	Topic	Author	Date
Med.	Apache Groovy Zero-Day Vulnerability Disclosure	cpnrodzc7	16.07.2015
High	Elasticsearch 1.6.0 Remote Code Execution	cpnrodzc7	17.07.2015

Type:

CWE-74

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
7.5/10	6.4/10	10/10

Exploit range	Attack complexity	Authentication
Remote	Low	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Oracle -> Webcenter sites
Oracle -> Health sciences clinical development center
Oracle -> Retail order broker cloud service
Oracle -> Retail service backbone
Oracle -> Retail store inventory management
Apache -> Groovy

References:

http://groovy-lang.org/security.html

http://packetstormsecurity.com/files/132714/Apache-Groovy-2.4.3-Code-Execution.html

http://rhn.redhat.com/errata/RHSA-2016-0066.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.securityfocus.com/archive/1/536012/100/0/threaded

http://www.securityfocus.com/bid/75919

http://www.securityfocus.com/bid/91787

http://www.securitytracker.com/id/1034815

http://www.zerodayinitiative.com/advisories/ZDI-15-365/

https://access.redhat.com/errata/RHSA-2016:1376

https://access.redhat.com/errata/RHSA-2017:2486

https://access.redhat.com/errata/RHSA-2017:2596

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755

https://security.gentoo.org/glsa/201610-01

https://security.netapp.com/advisory/ntap-20160623-0001/

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Vulnerability CVE-2015-3253

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

See advisories in our WLB2 database:

Med.

Apache Groovy Zero-Day Vulnerability Disclosure

High

Elasticsearch 1.6.0 Remote Code Execution

CWE-74

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

7.5/10

6.4/10

10/10

Remote

Low

No required

Partial

Partial

Partial

Affected software

References: