IBM Support

Security Bulletin: Vulnerability in Apache Groovy that could affect IBM Development Package for Apache Spark (CVE-2015-3253)

Created by Stephen Hellberg on
Published URL:
https://www.ibm.com/support/pages/node/284229
284229

Security Bulletin


Summary

Apache Groovy™ could allow a remote attacker to run arbitrary, untrusted code on the system.

Vulnerability Details

CVEID: CVE-2015-3253

DESCRIPTION: Apache Groovy could allow a remote attacker to run arbitrary, untrusted code on the system. This issue is caused by the failure to isolate serialization code when using a standard Java™ serialization method to communicate objects between servers. An attacker could use this vulnerability to deserialize objects and run untrusted code on the system, or to cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104819 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM® Development Package for Apache Spark™ v1.5.2.x, v1.6.0.x, and v1.6.1.x

These depend upon a version of Groovy, prior to Apache Groovy v2.4.4, that is affected by this vulnerability.

Remediation/Fixes

IBM Development Package for Apache Spark v1.6.2.0 and later

Workarounds and Mitigations

Apache Groovy have published a source code patch of their MethodClosure class for prior Groovy versions that cannot be upgraded to the fixed version released by the Apache Software Foundation.

However, it is an involved manual process to apply this source code patch within Apache Spark. First, you will need to obtain the relevant Groovy source code at the correct version (2.1.6) being used (to satisfy a Hive 1.2.1 dependency), patching it, re-compiling and packaging the Groovy component as a revised JAR, and substituting this within the Apache Spark assembly JAR file. Other JARs in a custom Spark application should be searched to discover if any other instances of Groovy are bundled to address other dependencies, and these instances should also be mitigated. This manual process involves a high risk of error.

IBM recommends upgrading to a fixed release of the IBM Development Package for Apache Spark.

Get Notified about Future Security Bulletins

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Off

Acknowledgement

cpnrodzc7 working with HP's Zero Day Initiative

Change History

8 July 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSAHSS","label":"Development Package for Apache Spark"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
15 June 2018

UID

swg21986687