Bug 1415511

Summary: Security Hardening - Prevent Deserialization Attacks from using Groovy MethodClosure private readObject method
Product: [JBoss] JBoss Operations Network Reporter: Jason Shepherd <jshepherd>
Component: Core Server, SecurityAssignee: Simeon Pinder <spinder>
Status: CLOSED ERRATA QA Contact: Filip Brychta <fbrychta>
Severity: medium Docs Contact:
Priority: medium    
Version: JON 3.3.7CC: fbrychta, jshepherd, loleary, spinder, twalsh
Target Milestone: ER02Keywords: Triaged
Target Release: JON 3.3.8   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-16 18:46:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Shepherd 2017-01-22 23:14:16 UTC
Description of problem:

CVE-2016-6814 does not affect JON Directly. However we should take a defence in depth approach by applying the following patch to the Groovy version included with JON 3.3.7 if we do another release.


Additional info:

Users of older versions of Groovy can apply the following patch to the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):

public class MethodClosure extends Closure {
+    private void readObject(java.io.ObjectInputStream stream) throws
IOException, ClassNotFoundException {
+        if (ALLOW_RESOLVE) {
+            stream.defaultReadObject();
+        }
+        throw new UnsupportedOperationException();
+    }

Ref: http://groovy-lang.org/security.html

Comment 6 Simeon Pinder 2017-01-27 06:16:25 UTC
Moving to ON_QA as available to test with the following brew build:
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=535315

NOTE: jon-server-patch-3.3.0.GA.zip maps to jon-server-3.3.0.GA-update-08.zip whic is JON 3.3.8 ER02 build.

Comment 9 errata-xmlrpc 2017-02-16 18:46:01 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2017-0285.html