CVE-2016-6814
First published: Sat Jan 14 2017(Updated: )
It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/groovy | <0:1.8.9-8.el7_4 | 0:1.8.9-8.el7_4 |
| redhat/rh-maven33-groovy | <0:1.8.9-7.19.el6 | 0:1.8.9-7.19.el6 |
| redhat/rh-maven33-groovy | <0:1.8.9-7.19.el7 | 0:1.8.9-7.19.el7 |
| redhat/groovy | <2.4.8 | 2.4.8 |
| maven/org.codehaus.groovy:groovy-all | >=1.7.0<=2.4.7 | 2.4.8 |
| maven/org.codehaus.groovy:groovy | >=1.7.0<=2.4.7 | 2.4.8 |
| Apache Groovy | >=1.7.0<=2.4.3 | |
| Apache Groovy | >=2.4.4<=2.4.7 | |
| Red Hat Enterprise Linux Server | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2016-6814 https://nvd.nist.gov/vuln/detail/CVE-2016-6814
- https://bugzilla.redhat.com/show_bug.cgi?id=1413466
- https://access.redhat.com/errata/RHSA-2017:2486
- https://access.redhat.com/errata/RHSA-2017:0868
- https://access.redhat.com/errata/RHSA-2017:0272
- https://access.redhat.com/errata/RHSA-2017:2596
- https://access.redhat.com/security/cve/CVE-2016-6814
- http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E
- http://rhn.redhat.com/errata/RHSA-2017-0272.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/95429
- http://www.securitytracker.com/id/1039600
- https://security.gentoo.org/glsa/202003-01
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1413504
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1413505
- https://access.redhat.com/articles/2570101
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1415511
- https://rhn.redhat.com/errata/RHSA-2017-0272.html
- https://issues.apache.org/jira/browse/GROOVY-8052
- https://github.com/apache/groovy/blob/master/src/main/org/codehaus/groovy/runtime/MethodClosure.java
- https://github.com/apache/groovy/commit/716d3e67e744c7edeed7cbc3f874090d39355764
- https://github.com/apache/groovy/commit/09e9778e8a33052d8c27105aee5310649637233d
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1413466#c22
- https://nvd.nist.gov/vuln/detail/CVE-2016-6814
- https://github.com/advisories/GHSA-xphj-m9cc-8fmq (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-6814
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/description
- agent/severity
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-xphj-m9cc-8fmq
- agent/last-modified-date
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- package-manager/redhat
- package-manager/maven
- vendor/apache
- canonical/apache groovy
- version/apache groovy/1.7.0
- version/apache groovy/2.4.3
- version/apache groovy/2.4.4
- version/apache groovy/2.4.7
- vendor/redhat
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0