Apache Groovy Zero-Day Vulnerability Disclosure

2015.07.16
Credit: cpnrodzc7
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-74


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

*Severity*: Important *Vendor*: The Apache Software Foundation *Versions Affected*: All unsupported versions ranging from 1.7.0 to 2.4.3. *Impact* Remote execution of untrusted code, DoS *Description* When an application has Groovy on classpath and that it uses standard Java serialization mechanims to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. *Mitigation* Apache Groovy 2.4.4 is the first and only supported release under the Apache Software Foundation. It is strongly recommanded that all users upgrade to this version. If you cannot upgrade or rely on an older, unsupported version of Groovy, you can apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java): public class MethodClosure extends Closure { + private Object readResolve() { + throw new UnsupportedOperationException(); + } *Credit* This vulnerability was discovered by: cpnrodzc7 working with HP's Zero Day Initiative *References* http://groovy-lang.org/security.html

References:

http://groovy-lang.org/security.html
http://seclists.org/oss-sec/2015/q3/121


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top