CVE-2016-6814
published 2018-01-18CVE-2016-6814: When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java…
PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
17.24%
96.7th percentile
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | groovy | >= 0 < 2.4.8-1 | 2.4.8-1 |
| apache | groovy | >= 0 < 2.4.8-1 | 2.4.8-1 |
| apache | groovy | >= 0 < 2.4.8-1 | 2.4.8-1 |
| apache | groovy | >= 0 < 2.4.8-1 | 2.4.8-1 |
| apache | groovy | 1.7.0 – 2.4.3 | — |
| apache | groovy | 2.4.4 – 2.4.7 | — |
| debian | groovy | < groovy 2.4.8-1 (bookworm) | groovy 2.4.8-1 (bookworm) |
| redhat | enterprise_linux_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via Java deserialization of a specially crafted serialized object using Apache Groovy's MethodClosure class. Monitor for deserialization of untrusted data in applications with Groovy on the classpath. ↗
- →The deserialization gadget chain is rooted in MethodClosure.java within the Groovy runtime. Inspect or block deserialization paths involving org.codehaus.groovy.runtime.MethodClosure. ↗
- →Apache Groovy prior to 2.4.8 is vulnerable via MethodClosure deserialization. Flag or alert on classpath presence of groovy versions 1.7.0–2.4.3 (Codehaus) or 2.4.4–2.4.7 (Apache) in Java applications that accept serialized objects. ↗
- →The vulnerability is exploitable remotely over HTTP. Monitor HTTP endpoints that accept serialized Java objects (Content-Type: application/x-java-serialized-object or raw binary POST bodies starting with 0xACED0005) on applications using affected Groovy versions. ↗
- ·All applications relying on Java serialization that do NOT isolate deserialization code are vulnerable; isolation of the deserialization code path is a required architectural control. ↗
- ·Red Hat JBoss Operations Network 3.3.x is not directly affected because it does not deserialize untrusted content, but hardening steps are still recommended. ↗
- ·Red Hat Satellite 6.2 and later do not ship Groovy and are therefore not affected; only Satellite 6.0 and 6.1 are impacted. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_oracle9.6CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Deserialization of Untrusted Data in Groovy
osv·2022-05-13
CVE-2016-6814 [CRITICAL] Deserialization of Untrusted Data in Groovy
Deserialization of Untrusted Data in Groovy
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
GHSA
Deserialization of Untrusted Data in Groovy
ghsa·2022-05-13
CVE-2016-6814 [CRITICAL] CWE-502 Deserialization of Untrusted Data in Groovy
Deserialization of Untrusted Data in Groovy
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
OSV
CVE-2016-6814: When an application with unsupported Codehaus versions of Groovy from 1
osv·2018-01-18·CVSS 9.8
CVE-2016-6814 [CRITICAL] CVE-2016-6814: When an application with unsupported Codehaus versions of Groovy from 1
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Ubuntu
Apache Groovy vulnerability
vendor_ubuntu·2021-03-15
CVE-2016-6814 Apache Groovy vulnerability
Title: Apache Groovy vulnerability
Summary: Apache Groovy could be made to run programs as your login if
received a specially crafted serialized object.
It was discovered that Apache Groovy incorrectly handled
serialization mechanisms. An attacker could possibly use this issue
to execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Oracle
Oracle Oracle Supply Chain Risk Matrix: Install (Apache Groovy) — CVE-2016-6814
vendor_oracle·2020-07-15·CVSS 9.6
CVE-2016-6814 [CRITICAL] Oracle Oracle Supply Chain Risk Matrix: Install (Apache Groovy) — CVE-2016-6814
Oracle Oracle Supply Chain Risk Matrix: Install (Apache Groovy) vulnerability
CVE: CVE-2016-6814
CVSS: 9.6
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2020 (JUL 2020)
Oracle
Oracle Oracle Supply Chain Risk Matrix: CAX Client (Apache Groovy) — CVE-2016-6814
vendor_oracle·2020-01-15·CVSS 9.6
CVE-2016-6814 [CRITICAL] Oracle Oracle Supply Chain Risk Matrix: CAX Client (Apache Groovy) — CVE-2016-6814
Oracle Oracle Supply Chain Risk Matrix: CAX Client (Apache Groovy) vulnerability
CVE: CVE-2016-6814
CVSS: 9.6
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2020 (JAN 2020)
Red Hat
Groovy: Remote code execution via deserialization
vendor_redhat·2017-01-14·CVSS 9.8
CVE-2016-6814 [CRITICAL] CWE-502 Groovy: Remote code execution via deserialization
Groovy: Remote code execution via deserialization
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applic
Debian
CVE-2016-6814: groovy - When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2...
vendor_debian·2016·CVSS 9.8
CVE-2016-6814 [CRITICAL] CVE-2016-6814: groovy - When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2...
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Scope: local
bookworm: resolved (fixed in 2.4.8-1)
bullseye: resolved (fixed in 2.4.8-1)
forky: resolved (fixed in 2.4.8-1)
sid: resolved (fixed in 2.4.8-1)
trixie: resolved (fixed in 2.4.8-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
bugzilla·2017-01-16·CVSS 9.8
CVE-2016-6814 [CRITICAL] CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
It was found that a flaw in apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.
Discussion:
Created groovy tracking bugs for this issue:
Affects: fedora-all [bug 1413504]
Created groovy18 tracking bugs for this issue:
Affects: fedora-all [bug 1413505]
---
JBoss Operations Network (JON) 3.3.x is not directly affected by this issue as it does not deserialize untrusted content. Please be sure you've applied the cha
Bugzilla
CVE-2016-6814 groovy: Apache Groovy: Information disclosure [fedora-all]
bugzilla·2017-01-16·CVSS 9.8
CVE-2016-6814 [CRITICAL] CVE-2016-6814 groovy: Apache Groovy: Information disclosure [fedora-all]
CVE-2016-6814 groovy: Apache Groovy: Information disclosure [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of F
Bugzilla
CVE-2016-6814 groovy18: Apache Groovy: Information disclosure [fedora-all]
bugzilla·2017-01-16·CVSS 9.8
CVE-2016-6814 [CRITICAL] CVE-2016-6814 groovy18: Apache Groovy: Information disclosure [fedora-all]
CVE-2016-6814 groovy18: Apache Groovy: Information disclosure [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure
bugzilla·2015-07-16·CVSS 9.8
CVE-2015-3253 [CRITICAL] CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure
CVE-2015-3253 groovy: remote execution of untrusted code in class MethodClosure
It was reported that when an application has Groovy on the classpath and that it uses standard Java serialization mechanim to communicate between servers, or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.
Mitigation:
Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):
public class MethodClosure extends Closure {
+ private Object readResolve() {
+ throw new UnsupportedOperationException();
+
}
Alternatively, you should make s
http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3Ehttp://rhn.redhat.com/errata/RHSA-2017-0272.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/95429http://www.securitytracker.com/id/1039600https://access.redhat.com/errata/RHSA-2017:0868https://access.redhat.com/errata/RHSA-2017:2486https://access.redhat.com/errata/RHSA-2017:2596https://security.gentoo.org/glsa/202003-01https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttp://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3Ehttp://rhn.redhat.com/errata/RHSA-2017-0272.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/95429http://www.securitytracker.com/id/1039600https://access.redhat.com/errata/RHSA-2017:0868https://access.redhat.com/errata/RHSA-2017:2486https://access.redhat.com/errata/RHSA-2017:2596https://security.gentoo.org/glsa/202003-01https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
2018-01-18
Published