Bug 1922123 (CVE-2020-17521) - CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
Summary: CVE-2020-17521 groovy: OS temporary directory leads to information disclosure
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-17521
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1925176 1925177 1925178
Blocks: 1922124
TreeView+ depends on / blocked
 
Reported: 2021-01-29 09:57 UTC by Dhananjay Arunesh
Modified: 2021-12-14 21:33 UTC (History)
33 users (show)

Fixed In Version: groovy 2.4.21, groovy 2.5.14, groovy 3.0.7, groovy 4.0.0-alpha-2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Groovy. Groovy makes use of a method for creating temporary directories which is not suitable for security-sensitive contexts and allows for sensitive information leakage. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-08-18 13:28:11 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3205 0 None None None 2021-08-18 09:13:40 UTC
Red Hat Product Errata RHSA-2021:3207 0 None None None 2021-08-18 09:55:08 UTC
Red Hat Product Errata RHSA-2021:5134 0 None None None 2021-12-14 21:33:32 UTC

Description Dhananjay Arunesh 2021-01-29 09:57:00 UTC
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

References:
https://groovy-lang.org/security.html#CVE-2020-17521
https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E

Comment 1 Przemyslaw Roguski 2021-02-02 19:00:06 UTC
External References:

https://groovy-lang.org/security.html#CVE-2020-17521

Comment 4 Ted Jongseok Won 2021-02-04 05:00:09 UTC
upstream issue: https://issues.apache.org/jira/browse/GROOVY-9824

Comment 6 Mauro Matteo Cascella 2021-02-04 11:13:32 UTC
Mitigation:

Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems and all Groovy versions. Users who cannot easily move to the fixed Groovy versions may wish to consider using the JDK’s Files#createTempDirectory method instead of the Groovy extension methods.

Comment 9 Jonathan Christison 2021-02-09 11:16:03 UTC
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Fuse 6
 * Red Hat JBoss A-MQ 

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 13 Todd Cullum 2021-03-20 00:35:43 UTC
Statement:

This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

In OpenShift Container Platform (OCP) the vulnerable version of groovy is delivered in jenkins package and openshift4/ose-metering-hive container. The vulnerable groovy extension methods are not used directly in these components, therefore the impact by this vulnerability is Low.

Although an affected version of groovy is shipped in CodeReady Studio, the vulnerable functionality is not used by default, so the impact of this vulnerability has been set to Low.

Red Hat CodeReady WorkSpaces 2.7.0 does not ship groovy so is not affected by this flaw.

Comment 16 errata-xmlrpc 2021-08-18 09:13:38 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205

Comment 17 errata-xmlrpc 2021-08-18 09:55:05 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207

Comment 18 Product Security DevOps Team 2021-08-18 13:28:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17521

Comment 19 errata-xmlrpc 2021-12-14 21:33:30 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134


Note You need to log in before you can comment on or make changes to this bug.