Vulnerabilities > CVE-2016-6814 - Deserialization of Untrusted Data vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
redhat
CWE-502
critical
nessus

Summary

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-1CE2A05FF1.NASL
    descriptionSecurity fix for CVE-2016-6814 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-25
    plugin id96734
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96734
    titleFedora 24 : groovy (2017-1ce2a05ff1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170817_GROOVY_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
    last seen2020-03-18
    modified2017-08-22
    plugin id102675
    published2017-08-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102675
    titleScientific Linux Security Update : groovy on SL7.x (noarch) (20170817)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2486.NASL
    descriptionAn update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix(es) : * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
    last seen2020-06-01
    modified2020-06-02
    plugin id102574
    published2017-08-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102574
    titleRHEL 7 : groovy (RHSA-2017:2486)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_4AF92A40DB3311E6AE1B002590263BF5.NASL
    descriptionThe Apache Groovy project reports : When an application with Groovy on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. This is similar to CVE-2015-3253 but this exploit involves extra wrapping of objects and catching of exceptions which are now safe guarded against.
    last seen2020-06-01
    modified2020-06-02
    plugin id96511
    published2017-01-16
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96511
    titleFreeBSD : groovy -- remote execution of untrusted code/DoS vulnerability (4af92a40-db33-11e6-ae1b-002590263bf5)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-202003-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-202003-01 (Groovy: Arbitrary code execution) It was discovered that there was a vulnerability within the Java serialization/deserialization process. Impact : An attacker, by crafting a special serialized object, could execute arbitrary code. Workaround : There is no known workaround at this time.
    last seen2020-03-19
    modified2020-03-13
    plugin id134468
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134468
    titleGLSA-202003-01 : Groovy: Arbitrary code execution
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2486.NASL
    descriptionFrom Red Hat Security Advisory 2017:2486 : An update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix(es) : * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
    last seen2020-06-01
    modified2020-06-02
    plugin id102570
    published2017-08-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102570
    titleOracle Linux 7 : groovy (ELSA-2017-2486)
  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_GATEWAY_CPU_JUL_2017.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is prior to 14.2.3, 15.x prior to 15.2.12, or 16.x prior to 16.2.4. It is, therefore, affected by the following vulnerabilities : - A remote code execution vulnerability exists in the Primavera Integration (Standard) component, specifically in Apache Standard Taglib, due to an XML external entity (XXE) injection flaw when parsing XML data because of an incorrectly configured XML parser accepting XML external entities from untrusted sources. An unauthenticated, remote attacker can exploit this, via specially crafted XML data, to disclose resources on the target system or utilize XSLT extensions to execute arbitrary code. (CVE-2015-0254) - A remote code execution vulnerability exists in the Primavera Integration (Groovy) component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the target host. (CVE-2016-6814) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-04-30
    modified2017-07-21
    plugin id101899
    published2017-07-21
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101899
    titleOracle Primavera Gateway Multiple Vulnerabilities (July 2017 CPU)
  • NASL familyWindows
    NASL idORACLE_WEBCENTER_SITES_JUL_2019_CPU.NASL
    descriptionOracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities : - A deserialization vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Groovy)) due to a lack of isolation of object deserialization code. An unauthenticated, remote attacker can exploit this, via HTTP, to execute arbitrary code on the target host. (CVE-2016-6814) - A remote code execution vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Apache Commons FileUpload)) due to an unspecified reason. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2016-1000031) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Apache Batik)) due to an issue with deserialization. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop functioning properly. (CVE-2018-8013) - A denial of service (DoS) vulnerability exists in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Advanced UI (Spring Framework)) due to an issue handling range requests with a high number of ranges, wide ranges that overlap, or both. An unauthenticated, remote attacker can exploit this issue, via HTTP, to cause the application to stop responding. (CVE-2018-15765) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-05-03
    modified2020-04-29
    plugin id136091
    published2020-04-29
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136091
    titleOracle WebCenter Sites Multiple Vulnerabilities (July 2019 CPU)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2486.NASL
    descriptionAn update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix(es) : * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
    last seen2020-06-01
    modified2020-06-02
    plugin id102879
    published2017-09-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102879
    titleCentOS 7 : groovy (CESA-2017:2486)
  • NASL familyMisc.
    NASL idORACLE_JDEVELOPER_CPU_OCT_2017.NASL
    descriptionThe version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by vulnerability in the Spatial (Apache Groovy) component of Oracle Database Server. Please see the vendor advisory for additional information.
    last seen2020-06-01
    modified2020-06-02
    plugin id103931
    published2017-10-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103931
    titleOracle JDeveloper ADF Faces Unspecified Remote Code Execution (October 2017 CPU)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-33C8085C5D.NASL
    descriptionFixes information disclosure vulnerability (CVE-2016-6814) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-21
    plugin id102601
    published2017-08-21
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102601
    titleFedora 25 : groovy18 (2017-33c8085c5d)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-CC0E0DAF0F.NASL
    descriptionSecurity fix for CVE-2016-6814 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-23
    plugin id96679
    published2017-01-23
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96679
    titleFedora 25 : groovy (2017-cc0e0daf0f)
  • NASL familyDatabases
    NASL idORACLE_RDBMS_CPU_OCT_2017.NASL
    descriptionThe remote Oracle Database Server is missing the October 2017 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-02
    modified2017-10-19
    plugin id103971
    published2017-10-19
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103971
    titleOracle Database Multiple Vulnerabilities (October 2017 CPU)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-661DDDC462.NASL
    descriptionFixes information disclosure vulnerability (CVE-2016-6814) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-08-18
    plugin id102552
    published2017-08-18
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102552
    titleFedora 26 : groovy18 (2017-661dddc462)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-794.NASL
    descriptionIt was found that a flaw in Apache Groovy, a dynamic language for the Java Virtual Machine, allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. For Debian 7
    last seen2020-03-17
    modified2017-01-23
    plugin id96666
    published2017-01-23
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96666
    titleDebian DLA-794-1 : groovy security update
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_OCT_2017_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Ops Center installed on the remote host is missing a security patch. It is, therefore, affected by a remote code execution vulnerability. Refer to the October 2017 CPU for details on this vulnerability.
    last seen2020-06-01
    modified2020-06-02
    plugin id104052
    published2017-10-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104052
    titleOracle Enterprise Manager Ops Center Remote Code Execution (October 2017 CPU)

Redhat

advisories
  • bugzilla
    id1413466
    titleCVE-2016-6814 Apache Groovy: Remote code execution via deserialization
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentgroovy-javadoc is earlier than 0:1.8.9-8.el7_4
            ovaloval:com.redhat.rhsa:tst:20172486001
          • commentgroovy-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20172486002
        • AND
          • commentgroovy is earlier than 0:1.8.9-8.el7_4
            ovaloval:com.redhat.rhsa:tst:20172486003
          • commentgroovy is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20172486004
    rhsa
    idRHSA-2017:2486
    released2017-08-17
    severityImportant
    titleRHSA-2017:2486: groovy security update (Important)
  • rhsa
    idRHSA-2017:0272
  • rhsa
    idRHSA-2017:0868
  • rhsa
    idRHSA-2017:2596
rpms
  • groovy-0:1.8.9-8.el7_4
  • groovy-javadoc-0:1.8.9-8.el7_4
  • rh-maven33-groovy-0:1.8.9-7.19.el6
  • rh-maven33-groovy-0:1.8.9-7.19.el7
  • rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6
  • rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7

References