0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Apache Groovy 2.4.x Disclosure Vulnerabilities

Author

cpnrodzc7

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

CVE

Platform

*Severity*: Important

*Vendor*: The Apache Software Foundation

*Versions Affected*:

All unsupported versions ranging from 1.7.0 to 2.4.3.

*Impact*

Remote execution of untrusted code, DoS

Here you can find information about security patches or updates released for Apache Groovy. Note that unless specified otherwise, no binary or source patches are available. To obtain a security fix, you need to upgrade to the latest maintained version of Apache Groovy.

Releases prior to 2.4.4 were not released under Apache so no official patches for security updates are available for older versions.

    Groovy 2.4.x vulnerabilities
    Fixed in Groovy 2.4.4

    Important: CVE-2015-3253: Remote execution of untrusted code

    Description

    When an application has Groovy on the classpath and that it uses standard Java serialization mechanim to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.

    Mitigation

    Apache Groovy 2.4.4 is the first and only supported release under the Apache Software Foundation. It is strongly recommended that all users using serialization upgrade to this version. If you cannot upgrade or rely on an older, unsupported version of Groovy, you can apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):

     public class MethodClosure extends Closure {
    +    private Object readResolve() {
    +        throw new UnsupportedOperationException();
    +    }

    Alternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.


#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Apache Groovy 2.4.x Disclosure Vulnerabilities

Report Error

Report Error