ID CVE-2016-6814
Summary When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:groovy:1.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.0:beta_1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.0:beta_1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.0:beta_2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.0:beta_2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.7.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.7.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.0:beta_1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.0:beta_1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.0:beta_2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.0:beta_2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.0:beta_3:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.0:beta_3:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.0:beta_4:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.0:beta_4:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.8.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.8.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.9.0:beta_1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.9.0:beta_1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.9.0:beta_3:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.9.0:beta_3:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:1.9.0:beta_4:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:1.9.0:beta_4:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.0:beta_1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.0:beta_1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.0:beta_2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.0:beta_2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.0:beta_3:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.0:beta_3:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.0:rc4:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.0:rc4:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.0.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.0.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.0:beta_1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.0:beta_1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.1.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.1.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.2.0:beta_1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.2.0:beta_1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.2.0:beta_2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.2.0:beta_2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.2.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.2.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.2.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.2.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.2.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.2.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.0:beta_1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.0:beta_1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.0:beta_2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.0:beta_2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.0:rc3:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.0:rc3:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.0:beta_1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.0:beta_1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.0:beta_2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.0:beta_2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.0:beta_3:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.0:beta_3:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.0:beta_4:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.0:beta_4:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.0:rc2:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.0:rc2:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:groovy:2.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:apache:groovy:2.4.7:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 16-01-2019 - 19:29)
Impact:
Exploitability:
CWE CWE-502
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • bugzilla
    id 1413466
    title CVE-2016-6814 Apache Groovy: Remote code execution via deserialization
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment groovy is earlier than 0:1.8.9-8.el7_4
          oval oval:com.redhat.rhsa:tst:20172486005
        • comment groovy is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172486006
      • AND
        • comment groovy-javadoc is earlier than 0:1.8.9-8.el7_4
          oval oval:com.redhat.rhsa:tst:20172486007
        • comment groovy-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20172486008
    rhsa
    id RHSA-2017:2486
    released 2017-08-17
    severity Important
    title RHSA-2017:2486: groovy security update (Important)
  • rhsa
    id RHSA-2017:0272
  • rhsa
    id RHSA-2017:0868
  • rhsa
    id RHSA-2017:2596
rpms
  • groovy-0:1.8.9-8.el7_4
  • groovy-javadoc-0:1.8.9-8.el7_4
refmap via4
bid 95429
confirm
misc http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E
sectrack 1039600
Last major update 16-01-2019 - 19:29
Published 18-01-2018 - 18:29
Back to Top