Bug 1844510 (CVE-2016-6497)

Summary: CVE-2016-6497 groovy: allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, bbaranow, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, darran.lofthouse, decathorpe, dkreling, dosoudil, drieden, eparis, etirelli, extras-orphan, ggaughan, gmalinko, gvarsami, ibek, iweiss, janstey, java-maint, java-sig-commits, jawilson, jburrell, jcantril, jcoleman, jochrist, jokerman, jolee, jperkins, jschatte, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, lkundrak, loleary, mizdebsk, mnovotny, msochure, msrb, msvehla, nstielau, nwallace, paradhya, pjindal, pmackay, psotirop, puntogil, rguimara, rrajasek, rstancel, rsvoboda, rsynek, rwagner, sdaley, smaestri, spinder, sponnaga, tcunning, theute, tkirby, tom.jenkinson, vhalbert
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Groovy LDAP. The API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging the `returnObjFlag` setting. The highest threat from this vulnerability is to data integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-11 17:20:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1844511, 1844512    
Bug Blocks: 1844513    

Description Guilherme de Almeida Suckevicz 2020-06-05 14:48:48 UTC 
main/java/org/apache/directory/groovyldap/LDAP.java in the Groovy LDAP API in Apache allows attackers to conduct LDAP entry poisoning attacks by leveraging setting returnObjFlag to true for all search methods.

References:
https://mail-archives.apache.org/mod_mbox/directory-users/201610.mbox/%3Cb7d7e909-a8ed-1ab4-c853-4078c1e7624a%40stefan-seelmann.de%3E

Upstream commit:
http://svn.apache.org/viewvc/directory/sandbox/szoerner/groovyldap/src/main/java/org/apache/directory/groovyldap/LDAP.java?r1=1765362&r2=1765361&pathrev=1765362&view=patch
Comment 1 Guilherme de Almeida Suckevicz 2020-06-05 14:49:20 UTC 
Created groovy tracking bugs for this issue:

Affects: fedora-31 [bug 1844512]


Created groovy18 tracking bugs for this issue:

Affects: fedora-31 [bug 1844511]
Comment 6 Cedric Buissart 2020-06-11 14:05:00 UTC 
Statement:

The vulnerable class LDAP, is not found in OpenShift Container Platform's distribution of ElasticSearch.

Groovy as shipped in Red Hat Enterprise Linux 7 does not embed the LDAP class, and thus is not affected by this vulnerability.
Comment 7 Product Security DevOps Team 2020-06-11 17:20:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-6497