cbcvebase.
CVE-2016-6814
published 2018-01-18

CVE-2016-6814: When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java…

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
17.24%
96.7th percentile
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

Affected

8 ranges
VendorProductVersion rangeFixed in
apachegroovy>= 0 < 2.4.8-12.4.8-1
apachegroovy>= 0 < 2.4.8-12.4.8-1
apachegroovy>= 0 < 2.4.8-12.4.8-1
apachegroovy>= 0 < 2.4.8-12.4.8-1
apachegroovy1.7.0 – 2.4.3
apachegroovy2.4.4 – 2.4.7
debiangroovy< groovy 2.4.8-1 (bookworm)groovy 2.4.8-1 (bookworm)
redhatenterprise_linux_server

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via Java deserialization of a specially crafted serialized object using Apache Groovy's MethodClosure class. Monitor for deserialization of untrusted data in applications with Groovy on the classpath.
  • The deserialization gadget chain is rooted in MethodClosure.java within the Groovy runtime. Inspect or block deserialization paths involving org.codehaus.groovy.runtime.MethodClosure.
  • Apache Groovy prior to 2.4.8 is vulnerable via MethodClosure deserialization. Flag or alert on classpath presence of groovy versions 1.7.0–2.4.3 (Codehaus) or 2.4.4–2.4.7 (Apache) in Java applications that accept serialized objects.
  • The vulnerability is exploitable remotely over HTTP. Monitor HTTP endpoints that accept serialized Java objects (Content-Type: application/x-java-serialized-object or raw binary POST bodies starting with 0xACED0005) on applications using affected Groovy versions.
  • ·All applications relying on Java serialization that do NOT isolate deserialization code are vulnerable; isolation of the deserialization code path is a required architectural control.
  • ·Red Hat JBoss Operations Network 3.3.x is not directly affected because it does not deserialize untrusted content, but hardening steps are still recommended.
  • ·Red Hat Satellite 6.2 and later do not ship Groovy and are therefore not affected; only Satellite 6.0 and 6.1 are impacted.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_oracle9.6CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.