You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@shardingsphere.apache.org by GitBox <gi...@apache.org> on 2020/06/24 02:46:59 UTC

[GitHub] [shardingsphere] liuqiankun93 opened a new issue #6180: The groovy-2.4.5-indy.jar has High-level security risks

liuqiankun93 opened a new issue #6180:
URL: https://github.com/apache/shardingsphere/issues/6180


   sharding-jdbc-core version is 4.1.1.
   The groovy-2.4.5-indy.jar has High-level security risks。
   
   http://groovy-lang.org/security.html
   
   A flaw within src/main/org/codehaus/groovy/runtime/MethodClosure.java allows remote attackers to perform RCE (Remote Code Execution) or Dos (Denial of Service) via specially crafted serialized objects.
   
   Whilst the original disclosure was made in 2016 (2016-09-20), additional detail regarding the affected versions were made available in 2017 (2017-01-12).
   
   It has been noted that this vulnerability is similar to CVE-2015-3253 however exploitation differs.
   
   How to fix it
   Solution - Fix Available
   Upgrade to version 2.4.8 or later.
   
   Can groovy upgrade to version 2.4.8 or later in sharding-jdbc-core 4.1.2？


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shardingsphere] liuqiankun93 commented on issue #6180: The groovy-2.4.5-indy.jar has High-level security risks

Posted by GitBox <gi...@apache.org>.

liuqiankun93 commented on issue #6180:
URL: https://github.com/apache/shardingsphere/issues/6180#issuecomment-648700261


   @kimmking 
   hello.
   My company‘s project does not allow security risks when it is released.Therefor i can't use sharding-jdbc-core 4.1.1.
   So i want to know when it can be upgrade?
   Thanks.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [shardingsphere] terrymanu closed issue #6180: The groovy-2.4.5-indy.jar has High-level security risks

Posted by GitBox <gi...@apache.org>.

terrymanu closed issue #6180:
URL: https://github.com/apache/shardingsphere/issues/6180


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org