Bug 1922123 (CVE-2020-17521)
Summary: | CVE-2020-17521 groovy: OS temporary directory leads to information disclosure | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abenaiss, aileenc, aos-bugs, ataylor, bibryam, bmontgom, chazlett, dramseur, drieden, eparis, ganandan, ggaughan, gmalinko, hbraun, janstey, java-maint, jburrell, jcantril, jhunter, jnethert, jochrist, jokerman, jwon, kmitts, mgala, mjudeiki, nstielau, pantinor, pbhattac, scorneli, sd-operator-metering, sponnaga, tflannag |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | groovy 2.4.21, groovy 2.5.14, groovy 3.0.7, groovy 4.0.0-alpha-2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Apache Groovy. Groovy makes use of a method for creating temporary directories which is not suitable for security-sensitive contexts and allows for sensitive information leakage. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-18 13:28:11 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1925176, 1925177, 1925178 | ||
Bug Blocks: | 1922124 |
Description
Dhananjay Arunesh
2021-01-29 09:57:00 UTC
External References: https://groovy-lang.org/security.html#CVE-2020-17521 upstream fix: https://github.com/apache/groovy/pull/1425/commits/ea814531fe7c9a813e6d0b04533015020ed6cab7 upstream issue: https://issues.apache.org/jira/browse/GROOVY-9824 Mitigation: Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems and all Groovy versions. Users who cannot easily move to the fixed Groovy versions may wish to consider using the JDK’s Files#createTempDirectory method instead of the Groovy extension methods. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss A-MQ Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Statement: This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. In OpenShift Container Platform (OCP) the vulnerable version of groovy is delivered in jenkins package and openshift4/ose-metering-hive container. The vulnerable groovy extension methods are not used directly in these components, therefore the impact by this vulnerability is Low. Although an affected version of groovy is shipped in CodeReady Studio, the vulnerable functionality is not used by default, so the impact of this vulnerability has been set to Low. Red Hat CodeReady WorkSpaces 2.7.0 does not ship groovy so is not affected by this flaw. This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-17521 This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134 |