CVE-2015-3253
First published: Thu Jul 16 2015(Updated: )
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Groovy | =1.7.0 | |
| Apache Groovy | =1.7.0-beta_1 | |
| Apache Groovy | =1.7.0-beta_2 | |
| Apache Groovy | =1.7.0-rc1 | |
| Apache Groovy | =1.7.0-rc2 | |
| Apache Groovy | =1.7.1 | |
| Apache Groovy | =1.7.2 | |
| Apache Groovy | =1.7.3 | |
| Apache Groovy | =1.7.4 | |
| Apache Groovy | =1.7.5 | |
| Apache Groovy | =1.7.6 | |
| Apache Groovy | =1.7.7 | |
| Apache Groovy | =1.7.8 | |
| Apache Groovy | =1.7.9 | |
| Apache Groovy | =1.7.10 | |
| Apache Groovy | =1.7.11 | |
| Apache Groovy | =1.8.0 | |
| Apache Groovy | =1.8.0-beta_1 | |
| Apache Groovy | =1.8.0-beta_2 | |
| Apache Groovy | =1.8.0-beta_3 | |
| Apache Groovy | =1.8.0-beta_4 | |
| Apache Groovy | =1.8.0-rc1 | |
| Apache Groovy | =1.8.0-rc2 | |
| Apache Groovy | =1.8.0-rc3 | |
| Apache Groovy | =1.8.0-rc4 | |
| Apache Groovy | =1.8.1 | |
| Apache Groovy | =1.8.2 | |
| Apache Groovy | =1.8.3 | |
| Apache Groovy | =1.8.4 | |
| Apache Groovy | =1.8.5 | |
| Apache Groovy | =1.8.6 | |
| Apache Groovy | =1.8.7 | |
| Apache Groovy | =1.8.8 | |
| Apache Groovy | =1.8.9 | |
| Apache Groovy | =1.9.0 | |
| Apache Groovy | =1.9.0-beta_1 | |
| Apache Groovy | =1.9.0-beta_3 | |
| Apache Groovy | =1.9.0-beta_4 | |
| Apache Groovy | =2.0.0 | |
| Apache Groovy | =2.0.0-beta_1 | |
| Apache Groovy | =2.0.0-beta_2 | |
| Apache Groovy | =2.0.0-beta_3 | |
| Apache Groovy | =2.0.0-rc1 | |
| Apache Groovy | =2.0.0-rc2 | |
| Apache Groovy | =2.0.0-rc3 | |
| Apache Groovy | =2.0.0-rc4 | |
| Apache Groovy | =2.0.1 | |
| Apache Groovy | =2.0.2 | |
| Apache Groovy | =2.0.3 | |
| Apache Groovy | =2.0.4 | |
| Apache Groovy | =2.0.5 | |
| Apache Groovy | =2.0.6 | |
| Apache Groovy | =2.0.7 | |
| Apache Groovy | =2.0.8 | |
| Apache Groovy | =2.1.0 | |
| Apache Groovy | =2.1.0-beta_1 | |
| Apache Groovy | =2.1.0-rc1 | |
| Apache Groovy | =2.1.0-rc2 | |
| Apache Groovy | =2.1.0-rc3 | |
| Apache Groovy | =2.1.1 | |
| Apache Groovy | =2.1.2 | |
| Apache Groovy | =2.1.3 | |
| Apache Groovy | =2.1.4 | |
| Apache Groovy | =2.1.5 | |
| Apache Groovy | =2.1.6 | |
| Apache Groovy | =2.1.7 | |
| Apache Groovy | =2.1.8 | |
| Apache Groovy | =2.1.9 | |
| Apache Groovy | =2.2.0 | |
| Apache Groovy | =2.2.0-beta_1 | |
| Apache Groovy | =2.2.0-beta_2 | |
| Apache Groovy | =2.2.0-rc1 | |
| Apache Groovy | =2.2.0-rc2 | |
| Apache Groovy | =2.2.0-rc3 | |
| Apache Groovy | =2.2.1 | |
| Apache Groovy | =2.2.2 | |
| Apache Groovy | =2.3.0 | |
| Apache Groovy | =2.3.0-beta_1 | |
| Apache Groovy | =2.3.0-beta_2 | |
| Apache Groovy | =2.3.0-rc1 | |
| Apache Groovy | =2.3.0-rc2 | |
| Apache Groovy | =2.3.0-rc3 | |
| Apache Groovy | =2.3.1 | |
| Apache Groovy | =2.3.2 | |
| Apache Groovy | =2.3.3 | |
| Apache Groovy | =2.3.4 | |
| Apache Groovy | =2.3.5 | |
| Apache Groovy | =2.3.6 | |
| Apache Groovy | =2.3.7 | |
| Apache Groovy | =2.3.8 | |
| Apache Groovy | =2.3.9 | |
| Apache Groovy | =2.3.10 | |
| Apache Groovy | =2.3.11 | |
| Apache Groovy | =2.4.0 | |
| Apache Groovy | =2.4.0-beta_1 | |
| Apache Groovy | =2.4.0-beta_2 | |
| Apache Groovy | =2.4.0-beta_3 | |
| Apache Groovy | =2.4.0-beta_4 | |
| Apache Groovy | =2.4.0-rc1 | |
| Apache Groovy | =2.4.0-rc2 | |
| Apache Groovy | =2.4.1 | |
| Apache Groovy | =2.4.2 | |
| Apache Groovy | =2.4.3 | |
| Oracle Health Sciences Clinical Development Center | =3.1.1 | |
| Oracle Health Sciences Clinical Development Center | =3.1.2 | |
| Oracle Retail Order Broker Cloud Service | =4.1 | |
| Oracle Retail Order Broker Cloud Service | =5.1 | |
| Oracle Retail Order Broker Cloud Service | =5.2 | |
| Oracle Retail Order Broker Cloud Service | =15.0 | |
| Oracle Retail Service Backbone | =13.0 | |
| Oracle Retail Service Backbone | =13.1 | |
| Oracle Retail Service Backbone | =13.2 | |
| Oracle Retail Service Backbone | =14.0 | |
| Oracle Retail Service Backbone | =14.1 | |
| Oracle Retail Service Backbone | =15.0 | |
| Oracle Retail Store Inventory Management | =13.2 | |
| Oracle Retail Store Inventory Management | =14.0 | |
| Oracle Retail Store Inventory Management | =14.1 | |
| Oracle WebCenter Sites | =11.1.1.8.0 | |
| Oracle WebCenter Sites | =12.2.1 | |
| redhat/Groovy | <2.4.4 | 2.4.4 |
| maven/org.codehaus.groovy:groovy-all | >=1.7.0<=2.4.3 | 2.4.4 |
| maven/org.codehaus.groovy:groovy | >=1.7.0<=2.4.3 | 2.4.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://groovy-lang.org/security.html
- http://packetstormsecurity.com/files/132714/Apache-Groovy-2.4.3-Code-Execution.html
- http://rhn.redhat.com/errata/RHSA-2016-0066.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/archive/1/536012/100/0/threaded
- http://www.securityfocus.com/bid/75919
- http://www.securityfocus.com/bid/91787
- http://www.securitytracker.com/id/1034815
- http://www.zerodayinitiative.com/advisories/ZDI-15-365/
- https://access.redhat.com/errata/RHSA-2016:1376
- https://access.redhat.com/errata/RHSA-2017:2486
- https://access.redhat.com/errata/RHSA-2017:2596
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
- https://lists.apache.org/thread.html/rbb8e16cc5acab183124572b655bdf5fe1d5b5f477dc267352426c7ed@%3Cnotifications.shardingsphere.apache.org%3E
- https://security.gentoo.org/glsa/201610-01
- https://security.netapp.com/advisory/ntap-20160623-0001/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- http://seclists.org/oss-sec/2015/q3/121
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1076242
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1076242&action=edit
- https://rhn.redhat.com/errata/RHSA-2015-2558.html
- https://rhn.redhat.com/errata/RHSA-2015-2557.html
- https://rhn.redhat.com/errata/RHSA-2015-2556.html
- https://rhn.redhat.com/errata/RHSA-2016-0066.html
- https://rhn.redhat.com/errata/RHSA-2016-0118.html
- https://access.redhat.com/support/policy/updates/jboss_notes/eol/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1243934#c0
- https://github.com/apache/groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
- https://github.com/apache/groovy/commit/716d3e67e744c7edeed7cbc3f874090d39355764
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1243934#c30
- https://access.redhat.com/security/cve/CVE-2016-6814
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1413466
- https://bugzilla.redhat.com/show_bug.cgi?id=1243934
- https://lists.apache.org/thread.html/rbb8e16cc5acab183124572b655bdf5fe1d5b5f477dc267352426c7ed%40%3Cnotifications.shardingsphere.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2015-3253
- https://security.netapp.com/advisory/ntap-20160623-0001
- http://www.zerodayinitiative.com/advisories/ZDI-15-365
- https://github.com/advisories/GHSA-qg25-hgjv-cg9q (Advisory)
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-3253
- agent/software-canonical-lookup
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qg25-hgjv-cg9q
- agent/references
- agent/severity
- agent/last-modified-date
- agent/event
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- agent/tags
- agent/trending
- vendor/apache
- canonical/apache groovy
- version/apache groovy/1.7.0
- version/apache groovy/1.7.0-beta_1
- version/apache groovy/1.7.0-beta_2
- version/apache groovy/1.7.0-rc1
- version/apache groovy/1.7.0-rc2
- version/apache groovy/1.7.1
- version/apache groovy/1.7.2
- version/apache groovy/1.7.3
- version/apache groovy/1.7.4
- version/apache groovy/1.7.5
- version/apache groovy/1.7.6
- version/apache groovy/1.7.7
- version/apache groovy/1.7.8
- version/apache groovy/1.7.9
- version/apache groovy/1.7.10
- version/apache groovy/1.7.11
- version/apache groovy/1.8.0
- version/apache groovy/1.8.0-beta_1
- version/apache groovy/1.8.0-beta_2
- version/apache groovy/1.8.0-beta_3
- version/apache groovy/1.8.0-beta_4
- version/apache groovy/1.8.0-rc1
- version/apache groovy/1.8.0-rc2
- version/apache groovy/1.8.0-rc3
- version/apache groovy/1.8.0-rc4
- version/apache groovy/1.8.1
- version/apache groovy/1.8.2
- version/apache groovy/1.8.3
- version/apache groovy/1.8.4
- version/apache groovy/1.8.5
- version/apache groovy/1.8.6
- version/apache groovy/1.8.7
- version/apache groovy/1.8.8
- version/apache groovy/1.8.9
- version/apache groovy/1.9.0
- version/apache groovy/1.9.0-beta_1
- version/apache groovy/1.9.0-beta_3
- version/apache groovy/1.9.0-beta_4
- version/apache groovy/2.0.0
- version/apache groovy/2.0.0-beta_1
- version/apache groovy/2.0.0-beta_2
- version/apache groovy/2.0.0-beta_3
- version/apache groovy/2.0.0-rc1
- version/apache groovy/2.0.0-rc2
- version/apache groovy/2.0.0-rc3
- version/apache groovy/2.0.0-rc4
- version/apache groovy/2.0.1
- version/apache groovy/2.0.2
- version/apache groovy/2.0.3
- version/apache groovy/2.0.4
- version/apache groovy/2.0.5
- version/apache groovy/2.0.6
- version/apache groovy/2.0.7
- version/apache groovy/2.0.8
- version/apache groovy/2.1.0
- version/apache groovy/2.1.0-beta_1
- version/apache groovy/2.1.0-rc1
- version/apache groovy/2.1.0-rc2
- version/apache groovy/2.1.0-rc3
- version/apache groovy/2.1.1
- version/apache groovy/2.1.2
- version/apache groovy/2.1.3
- version/apache groovy/2.1.4
- version/apache groovy/2.1.5
- version/apache groovy/2.1.6
- version/apache groovy/2.1.7
- version/apache groovy/2.1.8
- version/apache groovy/2.1.9
- version/apache groovy/2.2.0
- version/apache groovy/2.2.0-beta_1
- version/apache groovy/2.2.0-beta_2
- version/apache groovy/2.2.0-rc1
- version/apache groovy/2.2.0-rc2
- version/apache groovy/2.2.0-rc3
- version/apache groovy/2.2.1
- version/apache groovy/2.2.2
- version/apache groovy/2.3.0
- version/apache groovy/2.3.0-beta_1
- version/apache groovy/2.3.0-beta_2
- version/apache groovy/2.3.0-rc1
- version/apache groovy/2.3.0-rc2
- version/apache groovy/2.3.0-rc3
- version/apache groovy/2.3.1
- version/apache groovy/2.3.2
- version/apache groovy/2.3.3
- version/apache groovy/2.3.4
- version/apache groovy/2.3.5
- version/apache groovy/2.3.6
- version/apache groovy/2.3.7
- version/apache groovy/2.3.8
- version/apache groovy/2.3.9
- version/apache groovy/2.3.10
- version/apache groovy/2.3.11
- version/apache groovy/2.4.0
- version/apache groovy/2.4.0-beta_1
- version/apache groovy/2.4.0-beta_2
- version/apache groovy/2.4.0-beta_3
- version/apache groovy/2.4.0-beta_4
- version/apache groovy/2.4.0-rc1
- version/apache groovy/2.4.0-rc2
- version/apache groovy/2.4.1
- version/apache groovy/2.4.2
- version/apache groovy/2.4.3
- vendor/oracle
- canonical/oracle health sciences clinical development center
- version/oracle health sciences clinical development center/3.1.1
- version/oracle health sciences clinical development center/3.1.2
- canonical/oracle retail order broker cloud service
- version/oracle retail order broker cloud service/4.1
- version/oracle retail order broker cloud service/5.1
- version/oracle retail order broker cloud service/5.2
- version/oracle retail order broker cloud service/15.0
- canonical/oracle retail service backbone
- version/oracle retail service backbone/13.0
- version/oracle retail service backbone/13.1
- version/oracle retail service backbone/13.2
- version/oracle retail service backbone/14.0
- version/oracle retail service backbone/14.1
- version/oracle retail service backbone/15.0
- canonical/oracle retail store inventory management
- version/oracle retail store inventory management/13.2
- version/oracle retail store inventory management/14.0
- version/oracle retail store inventory management/14.1
- canonical/oracle webcenter sites
- version/oracle webcenter sites/11.1.1.8.0
- version/oracle webcenter sites/12.2.1
- package-manager/redhat
- package-manager/maven