Details
-
Type:
Task
-
Status: Closed
-
Priority:
L3 - Default
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: 7.4.0, 7.4.0-alpha3
-
Component/s: engine
-
Labels:None
Description
Groovy versions <= 2.4.3 suffer from a security vulnerability with deserializing objects which can be exploited in combination with our webapps. We currently ship 2.3.0 in our distros and should ship at least 2.4.4 to save our users the effort to detect this.
Attack scenario:
1. Craft a java-serialized groovy object that executes arbitrary shell commands upon deserialization with this tool: https://github.com/frohoff/ysoserial
2. Encode the resulting bytes in base64
3. Set the value as a variable
4. Access the variable in Cockpit => this triggers deserialization and executes the desired shell command
See also: http://www.groovy-lang.org/security.html
mgm-controller-panel
This is the controller panel for Smart Panels app
Attachments
Issue Links
- is related to
-
CAM-5020 Replace groovy-all-2.3.0.jar with a newer version
-
- Closed
-