[GROOVY-7664] Deserializing Groovy objects results in arbitrary remote code execution - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4.5
Fix Version/s: 2.4.4
Component/s: groovy-runtime
Labels:

Description

A specific object structure of Groovy objects can be used to run arbitrary commands remotely via unchecked deserialization. See issue ~~COLLECTIONS-580~~ for a related problem in another library.

See the following links for details:

http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

The payload-building code:

https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Groovy1.java

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Devin Rosenbauer

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 09/Nov/15 18:52

Updated:: 09/Nov/15 19:02

Resolved:: 09/Nov/15 19:02