Bug 1413466 (CVE-2016-6814)
| Summary: | CVE-2016-6814 Apache Groovy: Remote code execution via deserialization | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Hooman Broujerdi <hghasemb> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abhgupta, aileenc, alazarot, aszczucz, bcourt, bdawidow, bkearney, bmcclain, cbillett, chazlett, dandread, dblechte, dmcphers, dmoppert, eedri, epp-bugs, etirelli, fnasser, gjospin, gvarsami, hhorak, huwang, java-maint, java-sig-commits, jbpapp-maint, jcoleman, jialiu, jmatthew, jokerman, jolee, jorton, jpallich, jschatte, jshepherd, kconner, kverlaen, ldimaggi, lgao, lmeyer, lpetrovi, lsurette, mbaluch, mgoldboi, miburman, michal.skrivanek, mizdebsk, mmccomas, mmccune, msrb, mstead, mweiler, mwinkler, myarboro, nwallace, ohadlevy, puntogil, Rhev-m-bugs, rrajasek, rwagner, rzhang, sbonazzo, soa-p-jira, spinder, srevivo, tcunning, theute, tiwillia, tkirby, tlestach, tsanders, twalsh, vhalbert, ykaul |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | groovy 2.4.8 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:05:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1413700, 1413504, 1413505, 1413699, 1416890, 1466643, 1466644, 1470818, 1483945, 1483946 | ||
| Bug Blocks: | 1385169, 1413468, 1415286 | ||
|
Description
Hooman Broujerdi
2017-01-16 04:40:30 UTC
Created groovy tracking bugs for this issue: Affects: fedora-all [bug 1413504] Created groovy18 tracking bugs for this issue: Affects: fedora-all [bug 1413505] JBoss Operations Network (JON) 3.3.x is not directly affected by this issue as it does not deserialize untrusted content. Please be sure you've applied the changes to JON described in this article to reduce the risk of this kind of attack: https://access.redhat.com/articles/2570101. If we do another maintence release of JON 3.3.x we will include a patch for this issue as a defence in depth measure. You can track that change here: https://bugzilla.redhat.com/show_bug.cgi?id=1415511. This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.3 Update 4 Via RHSA-2017:0272 https://rhn.redhat.com/errata/RHSA-2017-0272.html This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.3 R2 Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868 Upstream tracker & commit: https://issues.apache.org/jira/browse/GROOVY-8052 https://github.com/apache/groovy/blob/master/src/main/org/codehaus/groovy/runtime/MethodClosure.java Apache groovy prior to 2.4.8 allows a desrialization via methodClosure which could allow desrialization of untrusted data. Currently all versions prior to 2.4.8 are affected and the mitigation is to update to versions >= 2.4.8. JBoss fuse has fixed this issue as a part of 6.3 R2. Upstream patches: https://github.com/apache/groovy/commit/716d3e67e744c7edeed7cbc3f874090d39355764 https://github.com/apache/groovy/commit/09e9778e8a33052d8c27105aee5310649637233d Satellite 6 doesn't actually use groovy so marking notaffected and closing. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2486 https://access.redhat.com/errata/RHSA-2017:2486 groovy18-1.8.9-28.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. groovy18-1.8.9-28.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2596 https://access.redhat.com/errata/RHSA-2017:2596 Analysis in comment 22 confirmed: the patch for this issue alone also resolves CVE-2015:3253. Statement: This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability. This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868 |