[jira] [Closed] (TINKERPOP-1611) Groovy Security Issue: Remote execution of untrusted code, DoS

[stephen mallette (JIRA)]

     [ 
https://issues.apache.org/jira/browse/TINKERPOP-1611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

stephen mallette closed TINKERPOP-1611.
---------------------------------------
    Resolution: Duplicate

Thanks james but already done for TinkerPop 3.1.x and up

> Groovy Security Issue:  Remote execution of untrusted code, DoS
> ---------------------------------------------------------------
>
>                 Key: TINKERPOP-1611
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-1611
>             Project: TinkerPop
>          Issue Type: Bug
>          Components: groovy
>    Affects Versions: 3.2.3
>            Reporter: James Thornton
>            Priority: Critical
>              Labels: security
>
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> * Unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3
> * Apache Groovy 2.4.4 to 2.4.7
> * Fixed in version 2.4.8
> Impact:
> Remote execution of untrusted code, DoS
> Description:
> When an application with Groovy on classpath uses standard
> Java serialization mechanisms, e.g. to communicate between servers
> or to store local data, it is possible for an attacker to bake a special
> serialized object that will execute code directly when deserialized.
> All applications which rely on serialization and do not isolate the
> code which deserializes objects are subject to this vulnerability.
> This is similar to CVE-2015-3253 but this exploit involves extra
> wrapping of objects and catching of exceptions which are now safe
> guarded against.
> Mitigation:
> Users of Groovy relying on (de)serialization with the affected versions
> should apply one of the following mitigations:
> * Isolate the code doing the (de)serialization
> * Upgrade to Apache Groovy 2.4.8 or later
> * Users of older versions of Groovy can apply the following patch to the
> `MethodClosure` class
> (`src/main/org/codehaus/groovy/runtime/MethodClosure.java`):
> ```
> public class MethodClosure extends Closure {
> +    private void readObject(java.io.ObjectInputStream stream) throws
> IOException, ClassNotFoundException {
> +        if (ALLOW_RESOLVE) {
> +            stream.defaultReadObject();
> +        }
> +        throw new UnsupportedOperationException();
> +    }
> ```
> Credit:
> This vulnerability was discovered by:
> * Sam Thomas of Pentest Limited working with Trend Micro's Zero Day
> Initiative
> History:
> * 2016-09-20 Original advisory
> * 2017-01-12 Updated information on affected versions
> References:
> * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
> * http://groovy-lang.org/security.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)