[ https://issues.apache.org/jira/browse/TINKERPOP-1611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
stephen mallette closed TINKERPOP-1611. --------------------------------------- Resolution: Duplicate Thanks james but already done for TinkerPop 3.1.x and up > Groovy Security Issue: Remote execution of untrusted code, DoS > --------------------------------------------------------------- > > Key: TINKERPOP-1611 > URL: https://issues.apache.org/jira/browse/TINKERPOP-1611 > Project: TinkerPop > Issue Type: Bug > Components: groovy > Affects Versions: 3.2.3 > Reporter: James Thornton > Priority: Critical > Labels: security > > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > * Unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3 > * Apache Groovy 2.4.4 to 2.4.7 > * Fixed in version 2.4.8 > Impact: > Remote execution of untrusted code, DoS > Description: > When an application with Groovy on classpath uses standard > Java serialization mechanisms, e.g. to communicate between servers > or to store local data, it is possible for an attacker to bake a special > serialized object that will execute code directly when deserialized. > All applications which rely on serialization and do not isolate the > code which deserializes objects are subject to this vulnerability. > This is similar to CVE-2015-3253 but this exploit involves extra > wrapping of objects and catching of exceptions which are now safe > guarded against. > Mitigation: > Users of Groovy relying on (de)serialization with the affected versions > should apply one of the following mitigations: > * Isolate the code doing the (de)serialization > * Upgrade to Apache Groovy 2.4.8 or later > * Users of older versions of Groovy can apply the following patch to the > `MethodClosure` class > (`src/main/org/codehaus/groovy/runtime/MethodClosure.java`): > ``` > public class MethodClosure extends Closure { > + private void readObject(java.io.ObjectInputStream stream) throws > IOException, ClassNotFoundException { > + if (ALLOW_RESOLVE) { > + stream.defaultReadObject(); > + } > + throw new UnsupportedOperationException(); > + } > ``` > Credit: > This vulnerability was discovered by: > * Sam Thomas of Pentest Limited working with Trend Micro's Zero Day > Initiative > History: > * 2016-09-20 Original advisory > * 2017-01-12 Updated information on affected versions > References: > * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814 > * http://groovy-lang.org/security.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)