Vulnerabilities > CVE-2016-6814 - Deserialization of Untrusted Data vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-1CE2A05FF1.NASL description Security fix for CVE-2016-6814 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-25 plugin id 96734 published 2017-01-25 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96734 title Fedora 24 : groovy (2017-1ce2a05ff1) NASL family Scientific Linux Local Security Checks NASL id SL_20170817_GROOVY_ON_SL7_X.NASL description Security Fix(es) : - It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814) last seen 2020-03-18 modified 2017-08-22 plugin id 102675 published 2017-08-22 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102675 title Scientific Linux Security Update : groovy on SL7.x (noarch) (20170817) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2486.NASL description An update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix(es) : * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814) last seen 2020-06-01 modified 2020-06-02 plugin id 102574 published 2017-08-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102574 title RHEL 7 : groovy (RHSA-2017:2486) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_4AF92A40DB3311E6AE1B002590263BF5.NASL description The Apache Groovy project reports : When an application with Groovy on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. This is similar to CVE-2015-3253 but this exploit involves extra wrapping of objects and catching of exceptions which are now safe guarded against. last seen 2020-06-01 modified 2020-06-02 plugin id 96511 published 2017-01-16 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96511 title FreeBSD : groovy -- remote execution of untrusted code/DoS vulnerability (4af92a40-db33-11e6-ae1b-002590263bf5) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-202003-01.NASL description The remote host is affected by the vulnerability described in GLSA-202003-01 (Groovy: Arbitrary code execution) It was discovered that there was a vulnerability within the Java serialization/deserialization process. Impact : An attacker, by crafting a special serialized object, could execute arbitrary code. Workaround : There is no known workaround at this time. last seen 2020-03-19 modified 2020-03-13 plugin id 134468 published 2020-03-13 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134468 title GLSA-202003-01 : Groovy: Arbitrary code execution NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-2486.NASL description From Red Hat Security Advisory 2017:2486 : An update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix(es) : * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814) last seen 2020-06-01 modified 2020-06-02 plugin id 102570 published 2017-08-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102570 title Oracle Linux 7 : groovy (ELSA-2017-2486) NASL family CGI abuses NASL id ORACLE_PRIMAVERA_GATEWAY_CPU_JUL_2017.NASL description According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is prior to 14.2.3, 15.x prior to 15.2.12, or 16.x prior to 16.2.4. It is, therefore, affected by the following vulnerabilities : - A remote code execution vulnerability exists in the Primavera Integration (Standard) component, specifically in Apache Standard Taglib, due to an XML external entity (XXE) injection flaw when parsing XML data because of an incorrectly configured XML parser accepting XML external entities from untrusted sources. An unauthenticated, remote attacker can exploit this, via specially crafted XML data, to disclose resources on the target system or utilize XSLT extensions to execute arbitrary code. (CVE-2015-0254) - A remote code execution vulnerability exists in the Primavera Integration (Groovy) component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the target host. (CVE-2016-6814) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-04-30 modified 2017-07-21 plugin id 101899 published 2017-07-21 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101899 title Oracle Primavera Gateway Multiple Vulnerabilities (July 2017 CPU) NASL family Windows NASL id ORACLE_WEBCENTER_SITES_JUL_2019_CPU.NASL description Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities : - A deserialization vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Groovy)) due to a lack of isolation of object deserialization code. An unauthenticated, remote attacker can exploit this, via HTTP, to execute arbitrary code on the target host. (CVE-2016-6814) - A remote code execution vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Commons FileUpload)) due to an unspecified reason. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2016-1000031) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Apache Batik)) due to an issue with deserialization. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop functioning properly. (CVE-2018-8013) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Spring Framework)) due to an issue handling range requests with a high number of ranges, wide ranges that overlap, or both. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop responding. (CVE-2018-15765) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application last seen 2020-05-03 modified 2020-04-29 plugin id 136091 published 2020-04-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136091 title Oracle WebCenter Sites Multiple Vulnerabilities (July 2019 CPU) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-2486.NASL description An update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix(es) : * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814) last seen 2020-06-01 modified 2020-06-02 plugin id 102879 published 2017-09-01 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102879 title CentOS 7 : groovy (CESA-2017:2486) NASL family Misc. NASL id ORACLE_JDEVELOPER_CPU_OCT_2017.NASL description The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by vulnerability in the Spatial (Apache Groovy) component of Oracle Database Server. Please see the vendor advisory for additional information. last seen 2020-06-01 modified 2020-06-02 plugin id 103931 published 2017-10-18 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103931 title Oracle JDeveloper ADF Faces Unspecified Remote Code Execution (October 2017 CPU) NASL family Fedora Local Security Checks NASL id FEDORA_2017-33C8085C5D.NASL description Fixes information disclosure vulnerability (CVE-2016-6814) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-21 plugin id 102601 published 2017-08-21 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102601 title Fedora 25 : groovy18 (2017-33c8085c5d) NASL family Fedora Local Security Checks NASL id FEDORA_2017-CC0E0DAF0F.NASL description Security fix for CVE-2016-6814 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-23 plugin id 96679 published 2017-01-23 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96679 title Fedora 25 : groovy (2017-cc0e0daf0f) NASL family Databases NASL id ORACLE_RDBMS_CPU_OCT_2017.NASL description The remote Oracle Database Server is missing the October 2017 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-02 modified 2017-10-19 plugin id 103971 published 2017-10-19 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103971 title Oracle Database Multiple Vulnerabilities (October 2017 CPU) NASL family Fedora Local Security Checks NASL id FEDORA_2017-661DDDC462.NASL description Fixes information disclosure vulnerability (CVE-2016-6814) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-08-18 plugin id 102552 published 2017-08-18 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102552 title Fedora 26 : groovy18 (2017-661dddc462) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-794.NASL description It was found that a flaw in Apache Groovy, a dynamic language for the Java Virtual Machine, allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. For Debian 7 last seen 2020-03-17 modified 2017-01-23 plugin id 96666 published 2017-01-23 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96666 title Debian DLA-794-1 : groovy security update NASL family Misc. NASL id ORACLE_ENTERPRISE_MANAGER_OCT_2017_CPU.NASL description The version of Oracle Enterprise Manager Ops Center installed on the remote host is missing a security patch. It is, therefore, affected by a remote code execution vulnerability. Refer to the October 2017 CPU for details on this vulnerability. last seen 2020-06-01 modified 2020-06-02 plugin id 104052 published 2017-10-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104052 title Oracle Enterprise Manager Ops Center Remote Code Execution (October 2017 CPU)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E
- https://access.redhat.com/errata/RHSA-2017:2596
- https://access.redhat.com/errata/RHSA-2017:2486
- https://access.redhat.com/errata/RHSA-2017:0868
- http://www.securitytracker.com/id/1039600
- http://www.securityfocus.com/bid/95429
- http://rhn.redhat.com/errata/RHSA-2017-0272.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.gentoo.org/glsa/202003-01
- https://www.oracle.com/security-alerts/cpujul2020.html