Impact
Start scripts generated by the application plugin and the gradlew script are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script.
This may impact you if you use gradlew on Unix-like systems or use the scripts generated by Gradle in your application on Unix-like systems.
For gradlew, commands can be included in either JAVA_OPTS or GRADLE_OPTS.
For start scripts, commands can be included in either JAVA_OPTS or <APP_NAME>_OPTS.
For example, if a command is added to JAVA_OPTS and the user runs a Gradle build:
$ export JAVA_OPTS='-Xmx512m $(touch foo)'
$ ./gradlew build
This will execute touch foo, but any command will work here. When determining the command-line for the Java process that is started by the script, any commands found in these environment variables will be executed as the user running the script.
For this vulnerability to be exploitable, an attacker needs to be able to set the value of particular environment variables and have those environment variables be seen by the vulnerable scripts.
This vulnerability was found during a security audit. We do not know of any exploits based on this vulnerability.
Patches
This issue has been patched in Gradle 7.2 by updating our start script template.
Workarounds
CI/CD systems using the Gradle build tool
You are not vulnerable if untrusted users are unable to change environment variables for the user that executes gradlew.
If you are unable to upgrade to Gradle 7.2, you can generate a new gradlew script with Gradle 7.2 and use it for older versions of Gradle.
Applications using start scripts generated by Gradle
You are not vulnerable if untrusted users are unable to change environment variables for the user that executes the start script.
If you are unsure, the vulnerable start script could be manually patched to remove the use of eval or the use of environment variables that affect the application's command-line.
If the application is simple enough, you may be able to avoid the use of the start scripts by running the application directly with Java command.
References
Questions?
- For security related issues, please email us at security@gradle.com.
- For non-security related issues, please open an issue on GitHub.
Impact
Start scripts generated by the
applicationplugin and thegradlewscript are both vulnerable to arbitrary code execution when an attacker is able to change environment variables for the user running the script.This may impact you if you use
gradlewon Unix-like systems or use the scripts generated by Gradle in your application on Unix-like systems.For
gradlew, commands can be included in eitherJAVA_OPTSorGRADLE_OPTS.For start scripts, commands can be included in either
JAVA_OPTSor<APP_NAME>_OPTS.For example, if a command is added to
JAVA_OPTSand the user runs a Gradle build:This will execute
touch foo, but any command will work here. When determining the command-line for the Java process that is started by the script, any commands found in these environment variables will be executed as the user running the script.For this vulnerability to be exploitable, an attacker needs to be able to set the value of particular environment variables and have those environment variables be seen by the vulnerable scripts.
This vulnerability was found during a security audit. We do not know of any exploits based on this vulnerability.
Patches
This issue has been patched in Gradle 7.2 by updating our start script template.
Workarounds
CI/CD systems using the Gradle build tool
You are not vulnerable if untrusted users are unable to change environment variables for the user that executes
gradlew.If you are unable to upgrade to Gradle 7.2, you can generate a new
gradlewscript with Gradle 7.2 and use it for older versions of Gradle.Applications using start scripts generated by Gradle
You are not vulnerable if untrusted users are unable to change environment variables for the user that executes the start script.
If you are unsure, the vulnerable start script could be manually patched to remove the use of
evalor the use of environment variables that affect the application's command-line.If the application is simple enough, you may be able to avoid the use of the start scripts by running the application directly with Java command.
References
Questions?