{ "threat_severity" : "Important", "public_date" : "2015-07-16T00:00:00Z", "bugzilla" : { "description" : "groovy: remote execution of untrusted code in class MethodClosure", "id" : "1243934", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1243934" }, "cvss" : { "cvss_base_score" : "6.8", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "9.6", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502->CWE-284", "details" : [ "The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.", "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2017-08-17T00:00:00Z", "advisory" : "RHSA-2017:2486", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "groovy-0:1.8.9-8.el7_4" }, { "product_name" : "Red Hat JBoss A-MQ 6.2", "release_date" : "2015-12-07T00:00:00Z", "advisory" : "RHSA-2015:2557", "cpe" : "cpe:/a:redhat:jboss_amq:6.2" }, { "product_name" : "Red Hat JBoss Data Virtualization 6.2", "release_date" : "2016-01-25T00:00:00Z", "advisory" : "RHSA-2016:0066", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.2", "package" : "groovy-all", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Fuse 6.2", "release_date" : "2015-12-07T00:00:00Z", "advisory" : "RHSA-2015:2556", "cpe" : "cpe:/a:redhat:jboss_fuse:6.2" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6.2", "release_date" : "2015-12-07T00:00:00Z", "advisory" : "RHSA-2015:2558", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6.2" }, { "product_name" : "Red Hat JBoss Operations Network 3.3", "release_date" : "2016-02-03T00:00:00Z", "advisory" : "RHSA-2016:0118", "cpe" : "cpe:/a:redhat:jboss_operations_network:3.3", "package" : "groovy-all" }, { "product_name" : "Red Hat JBoss SOA Platform 5.3", "release_date" : "2016-06-30T00:00:00Z", "advisory" : "RHSA-2016:1376", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3", "package" : "grovy-all" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2017-09-05T00:00:00Z", "advisory" : "RHSA-2017:2596", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-maven33-groovy-0:1.8.9-7.19.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2017-09-05T00:00:00Z", "advisory" : "RHSA-2017:2596", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-maven33-groovy-0:1.8.9-7.19.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2017-09-05T00:00:00Z", "advisory" : "RHSA-2017:2596", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-maven33-groovy-0:1.8.9-7.19.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2017-09-05T00:00:00Z", "advisory" : "RHSA-2017:2596", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-maven33-groovy-0:1.8.9-7.19.el7" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Not affected", "package_name" : "groovy-all", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Virtualization 3", "fix_state" : "Affected", "package_name" : "jasperreports-server-pro", "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Will not fix", "package_name" : "groovy-all", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Will not fix", "package_name" : "groovy-all", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Affected", "package_name" : "groovy-all", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Affected", "package_name" : "groovy-all", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" }, { "product_name" : "Red Hat JBoss SOA Platform 4", "fix_state" : "Will not fix", "package_name" : "groovy-all", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:4" }, { "product_name" : "Red Hat OpenShift Enterprise 2", "fix_state" : "Will not fix", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2015-3253\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3253\nhttp://seclists.org/oss-sec/2015/q3/121" ], "name" : "CVE-2015-3253", "mitigation" : { "value" : "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\npublic class MethodClosure extends Closure {\n+ private Object readResolve() {\n+ throw new UnsupportedOperationException();\n+ \n}\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.", "lang" : "en:us" }, "csaw" : false }