Security Bulletin
Summary
Apache Groovy™ could allow a remote attacker to run arbitrary, untrusted code on the system.
Vulnerability Details
CVEID: CVE-2015-3253
DESCRIPTION: Apache Groovy could allow a remote attacker to run arbitrary, untrusted code on the system. This issue is caused by the failure to isolate serialization code when using a standard Java™ serialization method to communicate objects between servers. An attacker could use this vulnerability to deserialize objects and run untrusted code on the system, or to cause a denial of service.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104819 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
IBM® Development Package for Apache Spark™ v1.5.2.x, v1.6.0.x, and v1.6.1.x
These depend upon a version of Groovy, prior to Apache Groovy v2.4.4, that is affected by this vulnerability.
Remediation/Fixes
IBM Development Package for Apache Spark v1.6.2.0 and later
Workarounds and Mitigations
Apache Groovy have published a source code patch of their MethodClosure class for prior Groovy versions that cannot be upgraded to the fixed version released by the Apache Software Foundation.
However, it is an involved manual process to apply this source code patch within Apache Spark. First, you will need to obtain the relevant Groovy source code at the correct version (2.1.6) being used (to satisfy a Hive 1.2.1 dependency), patching it, re-compiling and packaging the Groovy component as a revised JAR, and substituting this within the Apache Spark assembly JAR file. Other JARs in a custom Spark application should be searched to discover if any other instances of Groovy are bundled to address other dependencies, and these instances should also be mitigated. This manual process involves a high risk of error.
IBM recommends upgrading to a fixed release of the IBM Development Package for Apache Spark.
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Acknowledgement
cpnrodzc7 working with HP's Zero Day Initiative
Change History
8 July 2016: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21986687