Bug 1243934 (CVE-2015-3253)
| Summary: | CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | unspecified | CC: | acathrow, aileenc, alazarot, asantos, aszczucz, bazulay, bdawidow, bleanhar, bmcclain, brms-jira, ccoleman, chazlett, dandread, dblechte, dmcphers, dmoppert, epp-bugs, etirelli, felias, fnasser, gvarsami, hfnukal, hhorak, huwang, idith, java-maint, jbpapp-maint, jcoleman, jdetiber, jialiu, jkeck, jokerman, jolee, jorton, jpallich, jshepherd, kconner, kseifried, ldimaggi, lgao, lmeyer, lpetrovi, lsurette, mbaluch, miburman, michal.skrivanek, mizdebsk, mmccomas, mweiler, mwinkler, myarboro, nwallace, pavelp, rbalakri, Rhev-m-bugs, rhq-maint, rrajasek, rwagner, rzhang, slong, soa-p-jira, spinder, srevivo, tcunning, theute, tkirby, twalsh, vhalbert, weli, ykaul, ylavi | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Groovy 2.4.4 | Doc Type: | Bug Fix | ||||
| Doc Text: |
A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-09-25 06:32:16 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1264238, 1264239, 1264240, 1264293, 1264294, 1264295, 1264296, 1264297, 1264298, 1264299, 1264301, 1264302, 1264303, 1264304, 1264305, 1264306, 1264307, 1264308, 1281481, 1483945, 1483946 | ||||||
| Bug Blocks: | 1196328, 1243940, 1284692, 1288332, 1340536, 1385169 | ||||||
| Attachments: |
|
||||||
A mitigation for this issue is not to call a MethodClosure which has been deserialized. Alternatively ensure that data which can be intercepted is encrypted. For example using SSL when sending serialized MethodClosures over a network connection. Setting WONTFIX for EAP 5 as Groovy is only included in Seam, which was supported as part of WFK, but is now EOL. Created attachment 1076242 [details]
Dependency tree report for BxMS product 6.2
This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.2.1 Via RHSA-2015:2558 https://rhn.redhat.com/errata/RHSA-2015-2558.html This issue has been addressed in the following products: Red Hat JBoss A-MQ 6.2.1 Via RHSA-2015:2557 https://rhn.redhat.com/errata/RHSA-2015-2557.html This issue has been addressed in the following products: Red Hat JBoss Fuse 6.2.1 Via RHSA-2015:2556 https://rhn.redhat.com/errata/RHSA-2015-2556.html This issue has been addressed in the following products: Via RHSA-2016:0066 https://rhn.redhat.com/errata/RHSA-2016-0066.html This issue has been addressed in the following products: Via RHSA-2016:0118 https://rhn.redhat.com/errata/RHSA-2016-0118.html JBoss EAP 5 was listed as affected as it ships the Groovy library as part of Seam. However Seam support is now in End of Life, as it was supported as part of Web Framework Kit. Setting it to WONTFIX. https://access.redhat.com/support/policy/updates/jboss_notes/eol/ This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376 FSW awaiting decision to build the last 6.0 patch Upstream commit, mostly identical to the mitigation noted in comment 0: https://github.com/apache/groovy/commit/09e9778e8a33052d8c27105aee5310649637233d Another upstream commit: https://github.com/apache/groovy/commit/716d3e67e744c7edeed7cbc3f874090d39355764 Upstream developer says that commit referenced in comment #30 is "not enough" That's CVE-2016-6814 fix, see bug 1413466. groovy18-1.8.9-30.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. groovy18-1.8.9-30.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2596 https://access.redhat.com/errata/RHSA-2017:2596 |
It was reported that when an application has Groovy on the classpath and that it uses standard Java serialization mechanim to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. Mitigation: Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java): public class MethodClosure extends Closure { + private Object readResolve() { + throw new UnsupportedOperationException(); + } Alternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely. External References: http://seclists.org/oss-sec/2015/q3/121