Bug 1243934 (CVE-2015-3253) - CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure
Summary: CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3253
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20150716,repo...
Depends On: 1264239 1264238 1264240 1264293 1264294 1264295 1264296 1264297 1264298 1264299 1264301 1264302 1264303 1264304 1264305 1264306 1264307 1264308 1281481 1483945 1483946
Blocks: 1196328 1243940 1284692 1288332 1340536 1385169
TreeView+ depends on / blocked
 
Reported: 2015-07-16 15:39 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:40 UTC (History)
71 users (show)

Fixed In Version: Groovy 2.4.4
Doc Type: Bug Fix
Doc Text:
A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.
Clone Of:
Environment:
Last Closed: 2017-09-25 06:32:16 UTC


Attachments (Terms of Use)
Dependency tree report for BxMS product 6.2 (3.46 MB, text/plain)
2015-09-23 13:42 UTC, Edson Tirelli
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2556 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.2.1 update 2015-12-08 01:46:59 UTC
Red Hat Product Errata RHSA-2015:2557 normal SHIPPED_LIVE Important: Red Hat JBoss A-MQ 6.2.1 update 2015-12-08 01:46:54 UTC
Red Hat Product Errata RHSA-2015:2558 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.2.1 update 2015-12-08 01:46:48 UTC
Red Hat Product Errata RHSA-2016:0066 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Virtualization 6.2.0 security update 2016-01-26 03:10:54 UTC
Red Hat Product Errata RHSA-2016:0118 normal SHIPPED_LIVE Critical: Red Hat JBoss Operations Network 3.3.5 update 2016-02-03 20:00:55 UTC
Red Hat Product Errata RHSA-2016:1376 normal SHIPPED_LIVE Critical: Red Hat JBoss SOA Platform security update 2016-07-01 01:06:13 UTC
Red Hat Product Errata RHSA-2017:2596 normal SHIPPED_LIVE Important: rh-maven33-groovy security update 2017-09-06 02:54:05 UTC

Description Vasyl Kaigorodov 2015-07-16 15:39:40 UTC
It was reported that when an application has Groovy on the classpath and that it uses standard Java serialization mechanim to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.

Mitigation:

Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):

    public class MethodClosure extends Closure {
        +    private Object readResolve() {
        +        throw new UnsupportedOperationException();
        +    
        }

Alternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.

External References:

http://seclists.org/oss-sec/2015/q3/121

Comment 1 Jason Shepherd 2015-08-06 07:26:17 UTC
A mitigation for this issue is not to call a MethodClosure which has been deserialized. Alternatively ensure that data which can be intercepted is encrypted. For example using SSL when sending serialized MethodClosures over a network connection.

Comment 5 Jason Shepherd 2015-09-18 01:35:46 UTC
Setting WONTFIX for EAP 5 as Groovy is only included in Seam, which was supported as part of WFK, but is now EOL.

Comment 14 Edson Tirelli 2015-09-23 13:42:19 UTC
Created attachment 1076242 [details]
Dependency tree report for BxMS product 6.2

Comment 22 errata-xmlrpc 2015-12-07 20:52:07 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.2.1

Via RHSA-2015:2558 https://rhn.redhat.com/errata/RHSA-2015-2558.html

Comment 23 errata-xmlrpc 2015-12-07 20:52:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.2.1

Via RHSA-2015:2557 https://rhn.redhat.com/errata/RHSA-2015-2557.html

Comment 24 errata-xmlrpc 2015-12-07 20:54:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.2.1

Via RHSA-2015:2556 https://rhn.redhat.com/errata/RHSA-2015-2556.html

Comment 25 errata-xmlrpc 2016-01-25 22:11:01 UTC
This issue has been addressed in the following products:



Via RHSA-2016:0066 https://rhn.redhat.com/errata/RHSA-2016-0066.html

Comment 26 errata-xmlrpc 2016-02-03 15:02:30 UTC
This issue has been addressed in the following products:



Via RHSA-2016:0118 https://rhn.redhat.com/errata/RHSA-2016-0118.html

Comment 27 Jason Shepherd 2016-02-04 01:48:26 UTC
JBoss EAP 5 was listed as affected as it ships the Groovy library as part of Seam. However Seam support is now in End of Life, as it was supported as part of Web Framework Kit. Setting it to WONTFIX.
https://access.redhat.com/support/policy/updates/jboss_notes/eol/

Comment 28 errata-xmlrpc 2016-06-30 21:07:24 UTC
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376

Comment 29 Pavel Polischouk 2016-09-02 00:11:45 UTC
FSW awaiting decision to build the last 6.0 patch

Comment 30 Tomas Hoger 2017-08-22 09:06:01 UTC
Upstream commit, mostly identical to the mitigation noted in comment 0:

https://github.com/apache/groovy/commit/09e9778e8a33052d8c27105aee5310649637233d

Comment 32 Mikolaj Izdebski 2017-08-23 09:13:30 UTC
Another upstream commit: https://github.com/apache/groovy/commit/716d3e67e744c7edeed7cbc3f874090d39355764
Upstream developer says that commit referenced in comment #30 is "not enough"

Comment 33 Tomas Hoger 2017-08-23 09:37:34 UTC
That's CVE-2016-6814 fix, see bug 1413466.

Comment 36 Fedora Update System 2017-08-31 22:51:55 UTC
groovy18-1.8.9-30.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 37 Fedora Update System 2017-09-01 03:22:14 UTC
groovy18-1.8.9-30.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 38 errata-xmlrpc 2017-09-05 22:55:17 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2596 https://access.redhat.com/errata/RHSA-2017:2596


Note You need to log in before you can comment on or make changes to this bug.