ID CVE-2016-6814
Summary When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
References
Vulnerable Configurations
  • Apache Software Foundation Groovy 1.7.0
    cpe:2.3:a:apache:groovy:1.7.0
  • Apache Software Foundation Groovy 1.7.0 Beta 1
    cpe:2.3:a:apache:groovy:1.7.0:beta_1
  • Apache Software Foundation Groovy 1.7.0 Beta 2
    cpe:2.3:a:apache:groovy:1.7.0:beta_2
  • Apache Software Foundation Groovy 1.7.0 Release Candidate 1
    cpe:2.3:a:apache:groovy:1.7.0:rc1
  • Apache Software Foundation Groovy 1.7.0 Release Candidate 2
    cpe:2.3:a:apache:groovy:1.7.0:rc2
  • Apache Software Foundation Groovy 1.7.1
    cpe:2.3:a:apache:groovy:1.7.1
  • Apache Software Foundation Groovy 1.7.2
    cpe:2.3:a:apache:groovy:1.7.2
  • Apache Software Foundation Groovy 1.7.3
    cpe:2.3:a:apache:groovy:1.7.3
  • Apache Software Foundation Groovy 1.7.4
    cpe:2.3:a:apache:groovy:1.7.4
  • Apache Software Foundation Groovy 1.7.5
    cpe:2.3:a:apache:groovy:1.7.5
  • Apache Software Foundation Groovy 1.7.6
    cpe:2.3:a:apache:groovy:1.7.6
  • Apache Software Foundation Groovy 1.7.7
    cpe:2.3:a:apache:groovy:1.7.7
  • Apache Software Foundation Groovy 1.7.8
    cpe:2.3:a:apache:groovy:1.7.8
  • Apache Software Foundation Groovy 1.7.9
    cpe:2.3:a:apache:groovy:1.7.9
  • Apache Software Foundation Groovy 1.7.10
    cpe:2.3:a:apache:groovy:1.7.10
  • Apache Software Foundation Groovy 1.7.11
    cpe:2.3:a:apache:groovy:1.7.11
  • Apache Software Foundation Groovy 1.8.0
    cpe:2.3:a:apache:groovy:1.8.0
  • Apache Software Foundation Groovy 1.8.0 Beta 1
    cpe:2.3:a:apache:groovy:1.8.0:beta_1
  • Apache Software Foundation Groovy 1.8.0 Beta 2
    cpe:2.3:a:apache:groovy:1.8.0:beta_2
  • Apache Software Foundation Groovy 1.8.0 Beta 3
    cpe:2.3:a:apache:groovy:1.8.0:beta_3
  • Apache Software Foundation Groovy 1.8.0 Beta 4
    cpe:2.3:a:apache:groovy:1.8.0:beta_4
  • Apache Software Foundation Groovy 1.8.0 Release Candidate 1
    cpe:2.3:a:apache:groovy:1.8.0:rc1
  • Apache Software Foundation Groovy 1.8.0 Release Candidate 2
    cpe:2.3:a:apache:groovy:1.8.0:rc2
  • Apache Software Foundation Groovy 1.8.0 Release Candidate 3
    cpe:2.3:a:apache:groovy:1.8.0:rc3
  • Apache Software Foundation Groovy 1.8.0 Release Candidate 4
    cpe:2.3:a:apache:groovy:1.8.0:rc4
  • Apache Software Foundation Groovy 1.8.1
    cpe:2.3:a:apache:groovy:1.8.1
  • Apache Software Foundation Groovy 1.8.2
    cpe:2.3:a:apache:groovy:1.8.2
  • Apache Software Foundation Groovy 1.8.3
    cpe:2.3:a:apache:groovy:1.8.3
  • Apache Software Foundation Groovy 1.8.4
    cpe:2.3:a:apache:groovy:1.8.4
  • Apache Software Foundation Groovy 1.8.5
    cpe:2.3:a:apache:groovy:1.8.5
  • Apache Software Foundation Groovy 1.8.6
    cpe:2.3:a:apache:groovy:1.8.6
  • Apache Software Foundation Groovy 1.8.7
    cpe:2.3:a:apache:groovy:1.8.7
  • Apache Software Foundation Groovy 1.8.8
    cpe:2.3:a:apache:groovy:1.8.8
  • Apache Software Foundation Groovy 1.8.9
    cpe:2.3:a:apache:groovy:1.8.9
  • Apache Software Foundation Groovy 1.9.0
    cpe:2.3:a:apache:groovy:1.9.0
  • Apache Software Foundation Groovy 1.9.0 Beta 1
    cpe:2.3:a:apache:groovy:1.9.0:beta_1
  • Apache Software Foundation Groovy 1.9.0 Beta 3
    cpe:2.3:a:apache:groovy:1.9.0:beta_3
  • Apache Software Foundation Groovy 1.9.0 Beta 4
    cpe:2.3:a:apache:groovy:1.9.0:beta_4
  • Apache Software Foundation Groovy 2.0.0
    cpe:2.3:a:apache:groovy:2.0.0
  • Apache Software Foundation Groovy 2.0.0 Beta 1
    cpe:2.3:a:apache:groovy:2.0.0:beta_1
  • Apache Software Foundation Groovy 2.0.0 Beta 2
    cpe:2.3:a:apache:groovy:2.0.0:beta_2
  • Apache Software Foundation Groovy 2.0.0 Beta 3
    cpe:2.3:a:apache:groovy:2.0.0:beta_3
  • Apache Software Foundation Groovy 2.0.0 Release Candidate 1
    cpe:2.3:a:apache:groovy:2.0.0:rc1
  • Apache Software Foundation Groovy 2.0.0 Release Candidate 2
    cpe:2.3:a:apache:groovy:2.0.0:rc2
  • Apache Software Foundation Groovy 2.0.0 Release Candidate 3
    cpe:2.3:a:apache:groovy:2.0.0:rc3
  • Apache Software Foundation Groovy 2.0.0 Release Candidate 4
    cpe:2.3:a:apache:groovy:2.0.0:rc4
  • Apache Software Foundation Groovy 2.0.1
    cpe:2.3:a:apache:groovy:2.0.1
  • Apache Software Foundation Groovy 2.0.2
    cpe:2.3:a:apache:groovy:2.0.2
  • Apache Software Foundation Groovy 2.0.3
    cpe:2.3:a:apache:groovy:2.0.3
  • Apache Software Foundation Groovy 2.0.4
    cpe:2.3:a:apache:groovy:2.0.4
  • Apache Software Foundation Groovy 2.0.5
    cpe:2.3:a:apache:groovy:2.0.5
  • Apache Software Foundation Groovy 2.0.6
    cpe:2.3:a:apache:groovy:2.0.6
  • Apache Software Foundation Groovy 2.0.7
    cpe:2.3:a:apache:groovy:2.0.7
  • Apache Software Foundation Groovy 2.0.8
    cpe:2.3:a:apache:groovy:2.0.8
  • Apache Software Foundation Groovy 2.1.0
    cpe:2.3:a:apache:groovy:2.1.0
  • Apache Software Foundation Groovy 2.1.0 Beta 1
    cpe:2.3:a:apache:groovy:2.1.0:beta_1
  • Apache Software Foundation Groovy 2.1.0 Release Candidate 1
    cpe:2.3:a:apache:groovy:2.1.0:rc1
  • Apache Software Foundation Groovy 2.1.0 Release Candidate 2
    cpe:2.3:a:apache:groovy:2.1.0:rc2
  • Apache Software Foundation Groovy 2.1.0 Release Candidate 3
    cpe:2.3:a:apache:groovy:2.1.0:rc3
  • Apache Software Foundation Groovy 2.1.1
    cpe:2.3:a:apache:groovy:2.1.1
  • Apache Software Foundation Groovy 2.1.2
    cpe:2.3:a:apache:groovy:2.1.2
  • Apache Software Foundation Groovy 2.1.3
    cpe:2.3:a:apache:groovy:2.1.3
  • Apache Software Foundation Groovy 2.1.4
    cpe:2.3:a:apache:groovy:2.1.4
  • Apache Software Foundation Groovy 2.1.5
    cpe:2.3:a:apache:groovy:2.1.5
  • Apache Software Foundation Groovy 2.1.6
    cpe:2.3:a:apache:groovy:2.1.6
  • Apache Software Foundation Groovy 2.1.7
    cpe:2.3:a:apache:groovy:2.1.7
  • Apache Software Foundation Groovy 2.1.8
    cpe:2.3:a:apache:groovy:2.1.8
  • Apache Software Foundation Groovy 2.1.9
    cpe:2.3:a:apache:groovy:2.1.9
  • Apache Software Foundation Groovy 2.2.0
    cpe:2.3:a:apache:groovy:2.2.0
  • Apache Software Foundation Groovy 2.2.0 Beta 1
    cpe:2.3:a:apache:groovy:2.2.0:beta_1
  • Apache Software Foundation Groovy 2.2.0 Beta 2
    cpe:2.3:a:apache:groovy:2.2.0:beta_2
  • Apache Software Foundation Groovy 2.2.0 Release Candidate 1
    cpe:2.3:a:apache:groovy:2.2.0:rc1
  • Apache Software Foundation Groovy 2.2.0 Release Candidate 2
    cpe:2.3:a:apache:groovy:2.2.0:rc2
  • Apache Software Foundation Groovy 2.2.0 Release Candidate 3
    cpe:2.3:a:apache:groovy:2.2.0:rc3
  • Apache Software Foundation Groovy 2.2.1
    cpe:2.3:a:apache:groovy:2.2.1
  • Apache Software Foundation Groovy 2.2.2
    cpe:2.3:a:apache:groovy:2.2.2
  • Apache Software Foundation Groovy 2.3.0
    cpe:2.3:a:apache:groovy:2.3.0
  • Apache Software Foundation Groovy 2.3.0 Beta 1
    cpe:2.3:a:apache:groovy:2.3.0:beta_1
  • Apache Software Foundation Groovy 2.3.0 Beta 2
    cpe:2.3:a:apache:groovy:2.3.0:beta_2
  • Apache Software Foundation Groovy 2.3.0 Release Candidate 1
    cpe:2.3:a:apache:groovy:2.3.0:rc1
  • Apache Software Foundation Groovy 2.3.0 Release Candidate 2
    cpe:2.3:a:apache:groovy:2.3.0:rc2
  • Apache Software Foundation Groovy 2.3.0 Release Candidate 3
    cpe:2.3:a:apache:groovy:2.3.0:rc3
  • Apache Software Foundation Groovy 2.3.1
    cpe:2.3:a:apache:groovy:2.3.1
  • Apache Software Foundation Groovy 2.3.2
    cpe:2.3:a:apache:groovy:2.3.2
  • Apache Software Foundation Groovy 2.3.3
    cpe:2.3:a:apache:groovy:2.3.3
  • Apache Software Foundation Groovy 2.3.4
    cpe:2.3:a:apache:groovy:2.3.4
  • Apache Software Foundation Groovy 2.3.5
    cpe:2.3:a:apache:groovy:2.3.5
  • Apache Software Foundation Groovy 2.3.6
    cpe:2.3:a:apache:groovy:2.3.6
  • Apache Software Foundation Groovy 2.3.7
    cpe:2.3:a:apache:groovy:2.3.7
  • Apache Software Foundation Groovy 2.3.8
    cpe:2.3:a:apache:groovy:2.3.8
  • Apache Software Foundation Groovy 2.3.9
    cpe:2.3:a:apache:groovy:2.3.9
  • Apache Software Foundation Groovy 2.3.10
    cpe:2.3:a:apache:groovy:2.3.10
  • Apache Software Foundation Groovy 2.3.11
    cpe:2.3:a:apache:groovy:2.3.11
  • Apache Software Foundation Groovy 2.4.0
    cpe:2.3:a:apache:groovy:2.4.0
  • Apache Software Foundation Groovy 2.4.0 Beta 1
    cpe:2.3:a:apache:groovy:2.4.0:beta_1
  • Apache Software Foundation Groovy 2.4.0 Beta 2
    cpe:2.3:a:apache:groovy:2.4.0:beta_2
  • Apache Software Foundation Groovy 2.4.0 Beta 3
    cpe:2.3:a:apache:groovy:2.4.0:beta_3
  • Apache Software Foundation Groovy 2.4.0 Beta 4
    cpe:2.3:a:apache:groovy:2.4.0:beta_4
  • Apache Software Foundation Groovy 2.4.0 Release Candidate 1
    cpe:2.3:a:apache:groovy:2.4.0:rc1
  • Apache Software Foundation Groovy 2.4.0 Release Candidate 2
    cpe:2.3:a:apache:groovy:2.4.0:rc2
  • Apache Software Foundation Groovy 2.4.1
    cpe:2.3:a:apache:groovy:2.4.1
  • Apache Software Foundation Groovy 2.4.2
    cpe:2.3:a:apache:groovy:2.4.2
  • Apache Software Foundation Groovy 2.4.3
    cpe:2.3:a:apache:groovy:2.4.3
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
CVSS
Base: 7.5
Impact:
Exploitability:
CWE CWE-502
CAPEC
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170817_GROOVY_ON_SL7_X.NASL
    description Security Fix(es) : - It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 102675
    published 2017-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102675
    title Scientific Linux Security Update : groovy on SL7.x (noarch)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-33C8085C5D.NASL
    description Fixes information disclosure vulnerability (CVE-2016-6814) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-12
    plugin id 102601
    published 2017-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102601
    title Fedora 25 : groovy18 (2017-33c8085c5d)
  • NASL family Misc.
    NASL id ORACLE_JDEVELOPER_CPU_OCT_2017.NASL
    description The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by vulnerability in the Spatial (Apache Groovy) component of Oracle Database Server. Please see the vendor advisory for additional information.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 103931
    published 2017-10-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103931
    title Oracle JDeveloper ADF Faces Unspecified Remote Code Execution (October 2017 CPU)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-1CE2A05FF1.NASL
    description Security fix for CVE-2016-6814 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-12
    plugin id 96734
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96734
    title Fedora 24 : groovy (2017-1ce2a05ff1)
  • NASL family Databases
    NASL id ORACLE_RDBMS_CPU_OCT_2017.NASL
    description The remote Oracle Database Server is missing the October 2017 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 103971
    published 2017-10-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103971
    title Oracle Database Multiple Vulnerabilities (October 2017 CPU)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2486.NASL
    description An update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix(es) : * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102879
    published 2017-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102879
    title CentOS 7 : groovy (CESA-2017:2486)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4AF92A40DB3311E6AE1B002590263BF5.NASL
    description The Apache Groovy project reports : When an application with Groovy on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it is possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. This is similar to CVE-2015-3253 but this exploit involves extra wrapping of objects and catching of exceptions which are now safe guarded against.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96511
    published 2017-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96511
    title FreeBSD : groovy -- remote execution of untrusted code/DoS vulnerability (4af92a40-db33-11e6-ae1b-002590263bf5)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-794.NASL
    description It was found that a flaw in Apache Groovy, a dynamic language for the Java Virtual Machine, allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. For Debian 7 'Wheezy', these problems have been fixed in version 1.8.6-1+deb7u2. We recommend that you upgrade your groovy packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 96666
    published 2017-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96666
    title Debian DLA-794-1 : groovy security update
  • NASL family Misc.
    NASL id ORACLE_ENTERPRISE_MANAGER_OCT_2017_CPU.NASL
    description The version of Oracle Enterprise Manager Ops Center installed on the remote host is missing a security patch. It is, therefore, affected by a remote code execution vulnerability. Refer to the October 2017 CPU for details on this vulnerability.
    last seen 2019-02-21
    modified 2018-04-19
    plugin id 104052
    published 2017-10-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104052
    title Oracle Enterprise Manager Ops Center Remote Code Execution (October 2017 CPU)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-CC0E0DAF0F.NASL
    description Security fix for CVE-2016-6814 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-12
    plugin id 96679
    published 2017-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96679
    title Fedora 25 : groovy (2017-cc0e0daf0f)
  • NASL family CGI abuses
    NASL id ORACLE_PRIMAVERA_GATEWAY_CPU_JUL_2017.NASL
    description According to its self-reported version number, the Oracle Primavera Gateway installation running on the remote web server is prior to 14.2.3, 15.x prior to 15.2.12, or 16.x prior to 16.2.4. It is, therefore, affected by the following vulnerabilities : - A remote code execution vulnerability exists in the Primavera Integration (Standard) component, specifically in Apache Standard Taglib, due to an XML external entity (XXE) injection flaw when parsing XML data because of an incorrectly configured XML parser accepting XML external entities from untrusted sources. An unauthenticated, remote attacker can exploit this, via specially crafted XML data, to disclose resources on the target system or utilize XSLT extensions to execute arbitrary code. (CVE-2015-0254) - A remote code execution vulnerability exists in the Primavera Integration (Groovy) component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this to execute arbitrary code on the target host. (CVE-2016-6814) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 101899
    published 2017-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101899
    title Oracle Primavera Gateway Multiple Vulnerabilities (July 2017 CPU)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2486.NASL
    description From Red Hat Security Advisory 2017:2486 : An update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix(es) : * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 102570
    published 2017-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102570
    title Oracle Linux 7 : groovy (ELSA-2017-2486)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2486.NASL
    description An update for groovy is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java. Security Fix(es) : * It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102574
    published 2017-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102574
    title RHEL 7 : groovy (RHSA-2017:2486)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-661DDDC462.NASL
    description Fixes information disclosure vulnerability (CVE-2016-6814) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-12
    plugin id 102552
    published 2017-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102552
    title Fedora 26 : groovy18 (2017-661dddc462)
redhat via4
advisories
  • bugzilla
    id 1413466
    title CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment groovy is earlier than 0:1.8.9-8.el7_4
          oval oval:com.redhat.rhsa:tst:20172486005
        • comment groovy is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172486006
      • AND
        • comment groovy-javadoc is earlier than 0:1.8.9-8.el7_4
          oval oval:com.redhat.rhsa:tst:20172486007
        • comment groovy-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172486008
    rhsa
    id RHSA-2017:2486
    released 2017-08-17
    severity Important
    title RHSA-2017:2486: groovy security update (Important)
  • rhsa
    id RHSA-2017:0272
  • rhsa
    id RHSA-2017:0868
  • rhsa
    id RHSA-2017:2596
rpms
  • groovy-0:1.8.9-8.el7_4
  • groovy-javadoc-0:1.8.9-8.el7_4
refmap via4
bid 95429
confirm
misc http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E
sectrack 1039600
Last major update 18-01-2018 - 13:29
Published 18-01-2018 - 13:29
Last modified 16-01-2019 - 14:29
Back to Top