CVE-2015-3253
Remote code execution vulnerability in groovy (Maven)
What is CVE-2015-3253 About?
The MethodClosure class in Apache Groovy allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object. This enables attackers to gain control or disrupt the application. Exploitation requires the deserialization of untrusted input.
Affected Software
- org.codehaus.groovy:groovy
- >1.7.0, <2.4.4
- org.codehaus.groovy:groovy-all
- >1.7.0, <2.4.4
Technical Details
The MethodClosure class within runtime/MethodClosure.java in Apache Groovy versions 1.7.0 through 2.4.3 is vulnerable to remote code execution and denial of service via deserialization of crafted objects. When a specially constructed serialized MethodClosure object is deserialized by a vulnerable Groovy application, the readObject() method within the MethodClosure can be manipulated to invoke arbitrary methods, enabling an attacker to execute code on the host system. This vulnerability often leverages the flexibility of Groovy's dynamic method invocation during deserialization. If the invoked method causes an unhandled exception or enters an infinite loop, it can also lead to a denial of service.
What is the Impact of CVE-2015-3253?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application, leading to a complete compromise of the system, or cause a denial of service by crashing the application.
What is the Exploitability of CVE-2015-3253?
Exploitation of this remote code execution/denial of service vulnerability is of medium complexity. It requires that the target application deserializes untrusted input, specifically crafted serialized Groovy MethodClosure objects. No authentication is typically needed if the deserialization endpoint is exposed. The attack is remote, requiring an attacker to send a malicious serialized object to a vulnerable service. Prerequisites include the use of Apache Groovy within the specified vulnerable versions and an application endpoint that performs deserialization. Key risk factors are open deserialization channels and insufficient validation of deserialized object types.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-3253?
Available Upgrade Options
- org.codehaus.groovy:groovy
- >1.7.0, <2.4.4 → Upgrade to 2.4.4
- org.codehaus.groovy:groovy-all
- >1.7.0, <2.4.4 → Upgrade to 2.4.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.zerodayinitiative.com/advisories/ZDI-15-365/
- https://security.gentoo.org/glsa/201610-01
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://rhn.redhat.com/errata/RHSA-2016-0066.html
- https://access.redhat.com/errata/RHSA-2016:1376
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- https://access.redhat.com/errata/RHSA-2017:2486
What are Similar Vulnerabilities to CVE-2015-3253?
Similar Vulnerabilities: CVE-2015-6420 , CVE-2019-17558 , CVE-2020-13936 , CVE-2020-5398 , CVE-2016-2169
