Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2. References: https://groovy-lang.org/security.html#CVE-2020-17521 https://lists.apache.org/thread.html/ra9dab34bf8625511f23692ad0fcee2725f782e9aad6c5cdff6cf4465@%3Cnotifications.groovy.apache.org%3E
External References: https://groovy-lang.org/security.html#CVE-2020-17521
upstream fix: https://github.com/apache/groovy/pull/1425/commits/ea814531fe7c9a813e6d0b04533015020ed6cab7
upstream issue: https://issues.apache.org/jira/browse/GROOVY-9824
Mitigation: Setting the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability for all operating systems and all Groovy versions. Users who cannot easily move to the fixed Groovy versions may wish to consider using the JDK’s Files#createTempDirectory method instead of the Groovy extension methods.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss A-MQ Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Statement: This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 7. Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/. In OpenShift Container Platform (OCP) the vulnerable version of groovy is delivered in jenkins package and openshift4/ose-metering-hive container. The vulnerable groovy extension methods are not used directly in these components, therefore the impact by this vulnerability is Low. Although an affected version of groovy is shipped in CodeReady Studio, the vulnerable functionality is not used by default, so the impact of this vulnerability has been set to Low. Red Hat CodeReady WorkSpaces 2.7.0 does not ship groovy so is not affected by this flaw.
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-17521
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134