Red Hat Bugzilla – Bug 1413466
CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
Last modified: 2018-08-18 07:29:50 EDT
It was found that a flaw in apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.
Created groovy tracking bugs for this issue: Affects: fedora-all [bug 1413504] Created groovy18 tracking bugs for this issue: Affects: fedora-all [bug 1413505]
JBoss Operations Network (JON) 3.3.x is not directly affected by this issue as it does not deserialize untrusted content. Please be sure you've applied the changes to JON described in this article to reduce the risk of this kind of attack: https://access.redhat.com/articles/2570101. If we do another maintence release of JON 3.3.x we will include a patch for this issue as a defence in depth measure. You can track that change here: https://bugzilla.redhat.com/show_bug.cgi?id=1415511.
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.3 Update 4 Via RHSA-2017:0272 https://rhn.redhat.com/errata/RHSA-2017-0272.html
This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.3 R2 Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868
Upstream tracker & commit: https://issues.apache.org/jira/browse/GROOVY-8052 https://github.com/apache/groovy/blob/master/src/main/org/codehaus/groovy/runtime/MethodClosure.java
Apache groovy prior to 2.4.8 allows a desrialization via methodClosure which could allow desrialization of untrusted data. Currently all versions prior to 2.4.8 are affected and the mitigation is to update to versions >= 2.4.8. JBoss fuse has fixed this issue as a part of 6.3 R2.
Upstream patches: https://github.com/apache/groovy/commit/716d3e67e744c7edeed7cbc3f874090d39355764 https://github.com/apache/groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
Satellite 6 doesn't actually use groovy so marking notaffected and closing.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2486 https://access.redhat.com/errata/RHSA-2017:2486
groovy18-1.8.9-28.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
groovy18-1.8.9-28.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2596 https://access.redhat.com/errata/RHSA-2017:2596
Analysis in comment 22 confirmed: the patch for this issue alone also resolves CVE-2015:3253.
Statement: This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868