Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-4928

Upgrade Groovy version in distro to 2.4.5

    XMLWordPrintable

Details

    • Task
    • Status: Closed
    • L3 - Default
    • Resolution: Fixed
    • None
    • 7.4.0, 7.4.0-alpha3
    • engine
    • None

    Description

      Groovy versions <= 2.4.3 suffer from a security vulnerability with deserializing objects which can be exploited in combination with our webapps. We currently ship 2.3.0 in our distros and should ship at least 2.4.4 to save our users the effort to detect this.

      Attack scenario:
      1. Craft a java-serialized groovy object that executes arbitrary shell commands upon deserialization with this tool: https://github.com/frohoff/ysoserial
      2. Encode the resulting bytes in base64
      3. Set the value as a variable
      4. Access the variable in Cockpit => this triggers deserialization and executes the desired shell command

      See also: http://www.groovy-lang.org/security.html

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Issue Links

            is related to

            Feature Request - A new feature of the product, which has yet to be developed. CAM-5020 Replace groovy-all-2.3.0.jar with a newer version

            • L3 - Default - Minor issue or issue with existing workaround, feature requests and questions
            • Closed

            Activity

              People

                smirnov Roman Smirnov
                thorben.lindhauer Thorben Lindhauer
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Salesforce