Bug 1413466 (CVE-2016-6814) - CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
Summary: CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-6814
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1413700 1413504 1413505 1413699 1416890 1466643 1466644 1470818 1483945 1483946
Blocks: 1385169 1413468 1415286
TreeView+ depends on / blocked
 
Reported: 2017-01-16 04:40 UTC by Hooman Broujerdi
Modified: 2019-09-29 14:04 UTC (History)
73 users (show)

Fixed In Version: groovy 2.4.8
Doc Type: Bug Fix
Doc Text:
It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:05:31 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0272 normal SHIPPED_LIVE Moderate: Red Hat JBoss Data Virtualization security and bug fix update 2017-02-14 21:41:53 UTC
Red Hat Product Errata RHSA-2017:0868 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update 2017-04-04 01:02:28 UTC
Red Hat Product Errata RHSA-2017:2486 normal SHIPPED_LIVE Important: groovy security update 2017-08-17 06:38:21 UTC
Red Hat Product Errata RHSA-2017:2596 normal SHIPPED_LIVE Important: rh-maven33-groovy security update 2017-09-06 02:54:05 UTC

Description Hooman Broujerdi 2017-01-16 04:40:30 UTC
It was found that a flaw in apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.

Comment 1 Adam Mariš 2017-01-16 08:43:47 UTC
Created groovy tracking bugs for this issue:

Affects: fedora-all [bug 1413504]


Created groovy18 tracking bugs for this issue:

Affects: fedora-all [bug 1413505]

Comment 7 Jason Shepherd 2017-01-22 23:22:03 UTC
JBoss Operations Network (JON) 3.3.x is not directly affected by this issue as it does not deserialize untrusted content. Please be sure you've applied the changes to JON described in this article to reduce the risk of this kind of attack: https://access.redhat.com/articles/2570101.
If we do another maintence release of JON 3.3.x we will include a patch for this issue as a defence in depth measure. You can track that change here: https://bugzilla.redhat.com/show_bug.cgi?id=1415511.

Comment 9 errata-xmlrpc 2017-02-14 16:43:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.3 Update 4

Via RHSA-2017:0272 https://rhn.redhat.com/errata/RHSA-2017-0272.html

Comment 10 errata-xmlrpc 2017-04-03 21:04:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.3 R2

Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868

Comment 12 Hooman Broujerdi 2017-04-20 22:38:35 UTC
Apache groovy prior to 2.4.8 allows a desrialization via methodClosure which could allow desrialization of untrusted data. 
Currently all versions prior to 2.4.8 are affected and the mitigation is to update to versions >= 2.4.8. 
JBoss fuse has fixed this issue as a part of 6.3 R2.

Comment 16 Kurt Seifried 2017-08-11 20:18:41 UTC
Satellite 6 doesn't actually use groovy so marking notaffected and closing.

Comment 17 errata-xmlrpc 2017-08-17 02:39:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2486 https://access.redhat.com/errata/RHSA-2017:2486

Comment 18 Fedora Update System 2017-08-18 00:24:15 UTC
groovy18-1.8.9-28.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2017-08-18 04:48:34 UTC
groovy18-1.8.9-28.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 errata-xmlrpc 2017-09-05 22:55:38 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS

Via RHSA-2017:2596 https://access.redhat.com/errata/RHSA-2017:2596

Comment 24 Doran Moppert 2017-09-25 06:31:40 UTC
Analysis in comment 22 confirmed:  the patch for this issue alone also resolves CVE-2015:3253.

Comment 25 Kurt Seifried 2018-03-02 21:53:20 UTC
Statement:

This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.

Comment 26 errata-xmlrpc 2018-07-02 15:51:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868


Note You need to log in before you can comment on or make changes to this bug.