CVE-2015-3253 — CRITICAL (9.8)

Vulnerability Description

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

CVSS Score

9.8

CRITICAL

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Groovy	1.7.0
Oracle	Health Sciences Clinical Development Center	3.1.1
Oracle	Retail Order Broker Cloud Service	4.1
Oracle	Retail Service Backbone	13.0
Oracle	Retail Store Inventory Management	13.2
Oracle	Webcenter Sites	11.1.1.8.0

Related Weaknesses (CWE)

CWE-74

References

http://groovy-lang.org/security.htmlVendor Advisory
http://packetstormsecurity.com/files/132714/Apache-Groovy-2.4.3-Code-Execution.hMitigationThird Party AdvisoryVDB Entry
http://rhn.redhat.com/errata/RHSA-2016-0066.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securityfocus.com/archive/1/536012/100/0/threaded
http://www.securityfocus.com/bid/75919Third Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/91787Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1034815
http://www.zerodayinitiative.com/advisories/ZDI-15-365/Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2016:1376

FAQ

What is CVE-2015-3253?

CVE-2015-3253 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized objec...

How severe is CVE-2015-3253?

CVE-2015-3253 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2015-3253?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Groovy, Oracle Health Sciences Clinical Development Center, Oracle Retail Order Broker Cloud Service, Oracle Retail Service Backbone, Oracle Retail Store Inventory Management.