Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2016-6814 (GCVE-0-2016-6814)
Vulnerability from cvelistv5 – Published: 2018-01-18 18:00 – Updated: 2024-09-16 20:52
VLAI?
EPSS
Summary
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:43:37.985Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2017:2596",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"name": "RHSA-2017:0868",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"name": "RHSA-2017:2486",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"name": "RHSA-2017:0272",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"
},
{
"name": "95429",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95429"
},
{
"name": "1039600",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1039600"
},
{
"name": "GLSA-202003-01",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-01"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2018-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-15T02:22:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "RHSA-2017:2596",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"name": "RHSA-2017:0868",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"name": "RHSA-2017:2486",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"name": "RHSA-2017:0272",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"
},
{
"name": "95429",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95429"
},
{
"name": "1039600",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1039600"
},
{
"name": "GLSA-202003-01",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-01"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_PUBLIC": "2018-01-15T00:00:00",
"ID": "CVE-2016-6814",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:2596",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"name": "RHSA-2017:0868",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"name": "RHSA-2017:2486",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"name": "RHSA-2017:0272",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"
},
{
"name": "95429",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95429"
},
{
"name": "1039600",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1039600"
},
{
"name": "GLSA-202003-01",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-01"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E",
"refsource": "MISC",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-6814",
"datePublished": "2018-01-18T18:00:00Z",
"dateReserved": "2016-08-12T00:00:00",
"dateUpdated": "2024-09-16T20:52:30.155Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"1.7.0\", \"versionEndIncluding\": \"2.4.3\", \"matchCriteriaId\": \"6EB4409D-39D4-4F6B-AD3E-2E9B0997B6A1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.4.4\", \"versionEndIncluding\": \"2.4.7\", \"matchCriteriaId\": \"C8F237F9-F70E-4815-BA42-5B5E8152965C\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"51EF4996-72F4-4FA4-814F-F5991E7A8318\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.\"}, {\"lang\": \"es\", \"value\": \"Cuando una aplicaci\\u00f3n con versiones de Codehaus no soportadas de Groovy desde la versi\\u00f3n 1.7.0 hasta la 2.4.3 o Apache Groovy desde la versi\\u00f3n 2.4.4 hasta la 2.4.7 en classpath usa mecanismos est\\u00e1ndar de serializaci\\u00f3n de Java (por ejemplo, para comunicarse entre servidores o almacenar datos locales), un atacante pudo preparar un objeto especialmente serializado que ejecutar\\u00e1 c\\u00f3digo directamente al ser deserializado. Todas las aplicaciones que dependen de la serializaci\\u00f3n y no a\\u00edslan el c\\u00f3digo que deserializa objetos estaban sujetos a esta vulnerabilidad.\"}]",
"id": "CVE-2016-6814",
"lastModified": "2024-11-21T02:56:53.077",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2018-01-18T18:29:00.233",
"references": "[{\"url\": \"http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2017-0272.html\", \"source\": \"cve@mitre.org\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/95429\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1039600\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:0868\", \"source\": \"cve@mitre.org\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2486\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2596\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202003-01\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2017-0272.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/95429\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1039600\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:0868\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2486\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:2596\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202003-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2016-6814\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-01-18T18:29:00.233\",\"lastModified\":\"2024-11-21T02:56:53.077\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Cuando una aplicaci\u00f3n con versiones de Codehaus no soportadas de Groovy desde la versi\u00f3n 1.7.0 hasta la 2.4.3 o Apache Groovy desde la versi\u00f3n 2.4.4 hasta la 2.4.7 en classpath usa mecanismos est\u00e1ndar de serializaci\u00f3n de Java (por ejemplo, para comunicarse entre servidores o almacenar datos locales), un atacante pudo preparar un objeto especialmente serializado que ejecutar\u00e1 c\u00f3digo directamente al ser deserializado. Todas las aplicaciones que dependen de la serializaci\u00f3n y no a\u00edslan el c\u00f3digo que deserializa objetos estaban sujetos a esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.7.0\",\"versionEndIncluding\":\"2.4.3\",\"matchCriteriaId\":\"6EB4409D-39D4-4F6B-AD3E-2E9B0997B6A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.4.4\",\"versionEndIncluding\":\"2.4.7\",\"matchCriteriaId\":\"C8F237F9-F70E-4815-BA42-5B5E8152965C\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51EF4996-72F4-4FA4-814F-F5991E7A8318\"}]}]}],\"references\":[{\"url\":\"http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2017-0272.html\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/95429\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039600\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:0868\",\"source\":\"cve@mitre.org\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2486\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2596\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202003-01\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2020.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2017-0272.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/95429\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1039600\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:0868\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2486\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:2596\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202003-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
RHSA-2017_2486
Vulnerability from csaf_redhat - Published: 2017-08-17 02:38 - Updated: 2024-11-14 20:54Summary
Red Hat Security Advisory: groovy security update
Notes
Topic
An update for groovy is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java.
Security Fix(es):
* It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for groovy is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java.\n\nSecurity Fix(es):\n\n* It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2486",
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2486.json"
}
],
"title": "Red Hat Security Advisory: groovy security update",
"tracking": {
"current_release_date": "2024-11-14T20:54:24+00:00",
"generator": {
"date": "2024-11-14T20:54:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2486",
"initial_release_date": "2017-08-17T02:38:21+00:00",
"revision_history": [
{
"date": "2017-08-17T02:38:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-17T02:38:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T20:54:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "groovy-0:1.8.9-8.el7_4.src",
"product": {
"name": "groovy-0:1.8.9-8.el7_4.src",
"product_id": "groovy-0:1.8.9-8.el7_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/groovy@1.8.9-8.el7_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "groovy-0:1.8.9-8.el7_4.noarch",
"product": {
"name": "groovy-0:1.8.9-8.el7_4.noarch",
"product_id": "groovy-0:1.8.9-8.el7_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/groovy@1.8.9-8.el7_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"product": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"product_id": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/groovy-javadoc@1.8.9-8.el7_4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Client-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.src",
"relates_to_product_reference": "7Client-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Client-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.src",
"relates_to_product_reference": "7ComputeNode-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Server-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.src",
"relates_to_product_reference": "7Server-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Server-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Workstation-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.src",
"relates_to_product_reference": "7Workstation-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Workstation-optional-7.4.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3253",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243934"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "groovy: remote execution of untrusted code in class MethodClosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3253"
},
{
"category": "external",
"summary": "RHBZ#1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3253",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253"
},
{
"category": "external",
"summary": "http://seclists.org/oss-sec/2015/q3/121",
"url": "http://seclists.org/oss-sec/2015/q3/121"
}
],
"release_date": "2015-07-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-17T02:38:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"category": "workaround",
"details": "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.",
"product_ids": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "groovy: remote execution of untrusted code in class MethodClosure"
},
{
"cve": "CVE-2016-6814",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413466"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Groovy: Remote code execution via deserialization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6814"
},
{
"category": "external",
"summary": "RHBZ#1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
}
],
"release_date": "2017-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-17T02:38:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Groovy: Remote code execution via deserialization"
}
]
}
RHSA-2017:0272
Vulnerability from csaf_redhat - Published: 2017-02-14 16:41 - Updated: 2025-11-21 17:59Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Data Virtualization.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.
This release of Red Hat JBoss Data Virtualization 6.3 Update 4 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that a flaw in apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
* It was found that the parsing of XMP and other XML formats in PDF by Apache PDFBox would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-2175)
* It was found that the parsing of OOXML, XMP in PDF, and some other file formats by Apache Tika would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-4434)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis release of Red Hat JBoss Data Virtualization 6.3 Update 4 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that a flaw in apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)\n\n* It was found that the parsing of XMP and other XML formats in PDF by Apache PDFBox would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-2175)\n\n* It was found that the parsing of OOXML, XMP in PDF, and some other file formats by Apache Tika would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-4434)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:0272",
"url": "https://access.redhat.com/errata/RHSA-2017:0272"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0"
},
{
"category": "external",
"summary": "1340386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1340386"
},
{
"category": "external",
"summary": "1340396",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1340396"
},
{
"category": "external",
"summary": "1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0272.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization security and bug fix update",
"tracking": {
"current_release_date": "2025-11-21T17:59:26+00:00",
"generator": {
"date": "2025-11-21T17:59:26+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2017:0272",
"initial_release_date": "2017-02-14T16:41:53+00:00",
"revision_history": [
{
"date": "2017-02-14T16:41:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:40:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T17:59:26+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.3",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.3",
"product_id": "Red Hat JBoss Data Virtualization 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Virtualization"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-2175",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2016-05-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1340396"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the parsing of XMP and other XML formats in PDF by Apache PDFBox would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pdfbox: XML External Entity vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2175"
},
{
"category": "external",
"summary": "RHBZ#1340396",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1340396"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2175",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2175"
}
],
"release_date": "2016-05-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-02-14T16:41:53+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0272"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "pdfbox: XML External Entity vulnerability"
},
{
"cve": "CVE-2016-4434",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2016-05-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1340386"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the parsing of OOXML, XMP in PDF, and some other file formats by Apache Tika would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tika: XML External Entity vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-4434"
},
{
"category": "external",
"summary": "RHBZ#1340386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1340386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-4434",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-4434"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-4434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4434"
}
],
"release_date": "2016-05-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-02-14T16:41:53+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0272"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tika: XML External Entity vulnerability"
},
{
"cve": "CVE-2016-6814",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413466"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Groovy: Remote code execution via deserialization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6814"
},
{
"category": "external",
"summary": "RHBZ#1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
}
],
"release_date": "2017-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-02-14T16:41:53+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0272"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Groovy: Remote code execution via deserialization"
}
]
}
RHSA-2017:2486
Vulnerability from csaf_redhat - Published: 2017-08-17 02:38 - Updated: 2025-11-21 18:02Summary
Red Hat Security Advisory: groovy security update
Notes
Topic
An update for groovy is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java.
Security Fix(es):
* It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for groovy is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java.\n\nSecurity Fix(es):\n\n* It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2486",
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2486.json"
}
],
"title": "Red Hat Security Advisory: groovy security update",
"tracking": {
"current_release_date": "2025-11-21T18:02:02+00:00",
"generator": {
"date": "2025-11-21T18:02:02+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2017:2486",
"initial_release_date": "2017-08-17T02:38:21+00:00",
"revision_history": [
{
"date": "2017-08-17T02:38:21+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-08-17T02:38:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:02:02+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "groovy-0:1.8.9-8.el7_4.src",
"product": {
"name": "groovy-0:1.8.9-8.el7_4.src",
"product_id": "groovy-0:1.8.9-8.el7_4.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/groovy@1.8.9-8.el7_4?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "groovy-0:1.8.9-8.el7_4.noarch",
"product": {
"name": "groovy-0:1.8.9-8.el7_4.noarch",
"product_id": "groovy-0:1.8.9-8.el7_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/groovy@1.8.9-8.el7_4?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"product": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"product_id": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/groovy-javadoc@1.8.9-8.el7_4?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Client-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.src",
"relates_to_product_reference": "7Client-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Client-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.src",
"relates_to_product_reference": "7ComputeNode-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Server-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.src",
"relates_to_product_reference": "7Server-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Server-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Workstation-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-0:1.8.9-8.el7_4.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src"
},
"product_reference": "groovy-0:1.8.9-8.el7_4.src",
"relates_to_product_reference": "7Workstation-optional-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "groovy-javadoc-0:1.8.9-8.el7_4.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
},
"product_reference": "groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"relates_to_product_reference": "7Workstation-optional-7.4.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3253",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243934"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "groovy: remote execution of untrusted code in class MethodClosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3253"
},
{
"category": "external",
"summary": "RHBZ#1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3253",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253"
},
{
"category": "external",
"summary": "http://seclists.org/oss-sec/2015/q3/121",
"url": "http://seclists.org/oss-sec/2015/q3/121"
}
],
"release_date": "2015-07-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-17T02:38:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"category": "workaround",
"details": "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.",
"product_ids": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "groovy: remote execution of untrusted code in class MethodClosure"
},
{
"cve": "CVE-2016-6814",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413466"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Groovy: Remote code execution via deserialization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6814"
},
{
"category": "external",
"summary": "RHBZ#1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
}
],
"release_date": "2017-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-08-17T02:38:21+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Client-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Client-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7ComputeNode-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7ComputeNode-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Server-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Server-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.noarch",
"7Workstation-optional-7.4.Z:groovy-0:1.8.9-8.el7_4.src",
"7Workstation-optional-7.4.Z:groovy-javadoc-0:1.8.9-8.el7_4.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Groovy: Remote code execution via deserialization"
}
]
}
RHSA-2017_0868
Vulnerability from csaf_redhat - Published: 2017-04-03 21:02 - Updated: 2024-11-22 10:51Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
Security Fix(es):
* It was reported that Elasticsearch had vulnerabilities in the Groovy scripting engine, which allow an attacker to construct scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. (CVE-2015-1427)
* It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
* It was found that Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. (CVE-2012-5783)
* It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter. (CVE-2016-1000229)
* A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. (CVE-2016-6812)
* Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk. (CVE-2016-8739)
* A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there's no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data. (CVE-2016-9177)
* It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack. (CVE-2017-3159)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* It was reported that Elasticsearch had vulnerabilities in the Groovy scripting engine, which allow an attacker to construct scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. (CVE-2015-1427)\n\n* It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)\n\n* It was found that Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. (CVE-2012-5783)\n\n* It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter. (CVE-2016-1000229)\n\n* A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. (CVE-2016-6812)\n\n* Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk. (CVE-2016-8739)\n\n* A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there\u0027s no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data. (CVE-2016-9177)\n\n* It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack. (CVE-2017-3159)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:0868",
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/"
},
{
"category": "external",
"summary": "873317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
},
{
"category": "external",
"summary": "1191969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1191969"
},
{
"category": "external",
"summary": "1360275",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1360275"
},
{
"category": "external",
"summary": "1393607",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1393607"
},
{
"category": "external",
"summary": "1406810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406810"
},
{
"category": "external",
"summary": "1406811",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406811"
},
{
"category": "external",
"summary": "1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "1420834",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420834"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0868.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update",
"tracking": {
"current_release_date": "2024-11-22T10:51:39+00:00",
"generator": {
"date": "2024-11-22T10:51:39+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:0868",
"initial_release_date": "2017-04-03T21:02:28+00:00",
"revision_history": [
{
"date": "2017-04-03T21:02:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-07-02T15:51:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T10:51:39+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss A-MQ 6.3",
"product": {
"name": "Red Hat JBoss A-MQ 6.3",
"product_id": "Red Hat JBoss A-MQ 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:6.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.3",
"product": {
"name": "Red Hat JBoss Fuse 6.3",
"product_id": "Red Hat JBoss Fuse 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-5783",
"discovery_date": "2012-11-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "873317"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5783"
},
{
"category": "external",
"summary": "RHBZ#873317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5783",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5783"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783"
}
],
"release_date": "2012-10-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name"
},
{
"cve": "CVE-2015-1427",
"discovery_date": "2015-02-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1191969"
}
],
"notes": [
{
"category": "description",
"text": "It was reported that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "elasticsearch: remote code execution via Groovy sandbox bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-1427"
},
{
"category": "external",
"summary": "RHBZ#1191969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1191969"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-1427",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1427"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-1427",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1427"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2015-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2022-03-25T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "elasticsearch: remote code execution via Groovy sandbox bypass"
},
{
"cve": "CVE-2015-7559",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2015-07-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1293972"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache ActiveMQ client exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ActiveMQ: DoS in client via shutdown command",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7559"
},
{
"category": "external",
"summary": "RHBZ#1293972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1293972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7559",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7559"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7559",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7559"
}
],
"release_date": "2017-04-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "ActiveMQ: DoS in client via shutdown command"
},
{
"cve": "CVE-2016-6812",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-12-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1406810"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-cxf: XSS in Apache CXF FormattedServiceListWriter",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6812"
},
{
"category": "external",
"summary": "RHBZ#1406810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406810"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6812",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6812"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6812",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6812"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc?version=1\u0026modificationDate=1482164360602\u0026api=v2",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc?version=1\u0026modificationDate=1482164360602\u0026api=v2"
}
],
"release_date": "2016-12-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-cxf: XSS in Apache CXF FormattedServiceListWriter"
},
{
"cve": "CVE-2016-6814",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413466"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Groovy: Remote code execution via deserialization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6814"
},
{
"category": "external",
"summary": "RHBZ#1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
}
],
"release_date": "2017-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Groovy: Remote code execution via deserialization"
},
{
"cve": "CVE-2016-8739",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2016-12-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1406811"
}
],
"notes": [
{
"category": "description",
"text": "Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-8739"
},
{
"category": "external",
"summary": "RHBZ#1406811",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406811"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-8739",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8739"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-8739",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8739"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc?version=1\u0026modificationDate=1482164360575\u0026api=v2",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc?version=1\u0026modificationDate=1482164360575\u0026api=v2"
}
],
"release_date": "2016-12-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE"
},
{
"cve": "CVE-2016-9177",
"discovery_date": "2016-11-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1393607"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there\u0027s no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Spark: Directory traversal vulnerability in version 2.5",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-9177"
},
{
"category": "external",
"summary": "RHBZ#1393607",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1393607"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-9177",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9177"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-9177",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9177"
},
{
"category": "external",
"summary": "http://seclists.org/fulldisclosure/2016/Nov/13",
"url": "http://seclists.org/fulldisclosure/2016/Nov/13"
}
],
"release_date": "2016-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Spark: Directory traversal vulnerability in version 2.5"
},
{
"cve": "CVE-2016-1000229",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-07-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1360275"
}
],
"notes": [
{
"category": "description",
"text": "It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "swagger-ui: cross-site scripting in key names",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000229"
},
{
"category": "external",
"summary": "RHBZ#1360275",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1360275"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000229",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000229"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000229",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000229"
},
{
"category": "external",
"summary": "https://nodesecurity.io/advisories/126",
"url": "https://nodesecurity.io/advisories/126"
}
],
"release_date": "2016-07-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "swagger-ui: cross-site scripting in key names"
},
{
"cve": "CVE-2017-3159",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-02-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1420834"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "camel-snakeyaml: Unmarshalling operation is vulnerable to RCE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-3159"
},
{
"category": "external",
"summary": "RHBZ#1420834",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420834"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-3159",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-3159"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-3159",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3159"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc"
}
],
"release_date": "2016-12-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "camel-snakeyaml: Unmarshalling operation is vulnerable to RCE"
}
]
}
RHSA-2017:2596
Vulnerability from csaf_redhat - Published: 2017-09-05 22:54 - Updated: 2025-11-21 18:02Summary
Red Hat Security Advisory: rh-maven33-groovy security update
Notes
Topic
An update for rh-maven33-groovy is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java.
Security Fix(es):
* Multiple object deserialization flaws were discovered in the MethodClosure class in Groovy. A specially crafted serialized object deserialized by an application using the Groovy library could cause the application to execute arbitrary code. (CVE-2015-3253, CVE-2016-6814)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rh-maven33-groovy is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java.\n\nSecurity Fix(es):\n\n* Multiple object deserialization flaws were discovered in the MethodClosure class in Groovy. A specially crafted serialized object deserialized by an application using the Groovy library could cause the application to execute arbitrary code. (CVE-2015-3253, CVE-2016-6814)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2596",
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "external",
"summary": "1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2596.json"
}
],
"title": "Red Hat Security Advisory: rh-maven33-groovy security update",
"tracking": {
"current_release_date": "2025-11-21T18:02:10+00:00",
"generator": {
"date": "2025-11-21T18:02:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2017:2596",
"initial_release_date": "2017-09-05T22:54:05+00:00",
"revision_history": [
{
"date": "2017-09-05T22:54:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-05T22:54:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:02:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.4-6.7.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-2.4-7.3.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"product": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"product_id": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy@1.8.9-7.19.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"product": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"product_id": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy@1.8.9-7.19.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"product": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"product_id": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy@1.8.9-7.19.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"product": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"product_id": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy-javadoc@1.8.9-7.19.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"product": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"product_id": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy@1.8.9-7.19.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"product": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"product_id": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy-javadoc@1.8.9-7.19.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.4-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"relates_to_product_reference": "6Server-RHSCL-2.4-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.4-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"relates_to_product_reference": "6Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"relates_to_product_reference": "6Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.4-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"relates_to_product_reference": "7Server-RHSCL-2.4-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.4-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"relates_to_product_reference": "7Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-2.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3253",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243934"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "groovy: remote execution of untrusted code in class MethodClosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3253"
},
{
"category": "external",
"summary": "RHBZ#1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3253",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253"
},
{
"category": "external",
"summary": "http://seclists.org/oss-sec/2015/q3/121",
"url": "http://seclists.org/oss-sec/2015/q3/121"
}
],
"release_date": "2015-07-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-05T22:54:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"category": "workaround",
"details": "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.",
"product_ids": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "groovy: remote execution of untrusted code in class MethodClosure"
},
{
"cve": "CVE-2016-6814",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413466"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Groovy: Remote code execution via deserialization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6814"
},
{
"category": "external",
"summary": "RHBZ#1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
}
],
"release_date": "2017-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-05T22:54:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Groovy: Remote code execution via deserialization"
}
]
}
RHSA-2017_0272
Vulnerability from csaf_redhat - Published: 2017-02-14 16:41 - Updated: 2024-11-22 10:41Summary
Red Hat Security Advisory: Red Hat JBoss Data Virtualization security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Data Virtualization.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.
This release of Red Hat JBoss Data Virtualization 6.3 Update 4 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* It was found that a flaw in apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
* It was found that the parsing of XMP and other XML formats in PDF by Apache PDFBox would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-2175)
* It was found that the parsing of OOXML, XMP in PDF, and some other file formats by Apache Tika would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-4434)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Data Virtualization.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems - such as multiple databases, XML files, and even Hadoop systems - appear as a set of tables in a local database.\n\nThis release of Red Hat JBoss Data Virtualization 6.3 Update 4 serves as a replacement for Red Hat JBoss Data Virtualization 6.3 Update 3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* It was found that a flaw in apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)\n\n* It was found that the parsing of XMP and other XML formats in PDF by Apache PDFBox would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-2175)\n\n* It was found that the parsing of OOXML, XMP in PDF, and some other file formats by Apache Tika would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2016-4434)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:0272",
"url": "https://access.redhat.com/errata/RHSA-2017:0272"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform\u0026downloadType=securityPatches\u0026version=6.3.0"
},
{
"category": "external",
"summary": "1340386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1340386"
},
{
"category": "external",
"summary": "1340396",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1340396"
},
{
"category": "external",
"summary": "1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0272.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Data Virtualization security and bug fix update",
"tracking": {
"current_release_date": "2024-11-22T10:41:12+00:00",
"generator": {
"date": "2024-11-22T10:41:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:0272",
"initial_release_date": "2017-02-14T16:41:53+00:00",
"revision_history": [
{
"date": "2017-02-14T16:41:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-02-20T12:40:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T10:41:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Data Virtualization 6.3",
"product": {
"name": "Red Hat JBoss Data Virtualization 6.3",
"product_id": "Red Hat JBoss Data Virtualization 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_data_virtualization:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Data Virtualization"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-2175",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2016-05-27T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1340396"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the parsing of XMP and other XML formats in PDF by Apache PDFBox would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "pdfbox: XML External Entity vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-2175"
},
{
"category": "external",
"summary": "RHBZ#1340396",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1340396"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-2175",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-2175"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-2175",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2175"
}
],
"release_date": "2016-05-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-02-14T16:41:53+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0272"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "pdfbox: XML External Entity vulnerability"
},
{
"cve": "CVE-2016-4434",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2016-05-26T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1340386"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the parsing of OOXML, XMP in PDF, and some other file formats by Apache Tika would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tika: XML External Entity vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-4434"
},
{
"category": "external",
"summary": "RHBZ#1340386",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1340386"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-4434",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-4434"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-4434",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4434"
}
],
"release_date": "2016-05-26T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-02-14T16:41:53+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0272"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "tika: XML External Entity vulnerability"
},
{
"cve": "CVE-2016-6814",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413466"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Groovy: Remote code execution via deserialization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Data Virtualization 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6814"
},
{
"category": "external",
"summary": "RHBZ#1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
}
],
"release_date": "2017-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-02-14T16:41:53+00:00",
"details": "Before applying the update, back up your existing Red Hat JBoss Data Virtualization installation (including its databases, applications, configuration files, and so on).\n\nNote that it is recommended to halt the Red Hat JBoss Data Virtualization server by stopping the JBoss Application Server process before installing this update, and then after installing the update, restart the Red Hat JBoss Data Virtualization server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss Data Virtualization 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0272"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss Data Virtualization 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Groovy: Remote code execution via deserialization"
}
]
}
RHSA-2017_2596
Vulnerability from csaf_redhat - Published: 2017-09-05 22:54 - Updated: 2024-11-14 20:54Summary
Red Hat Security Advisory: rh-maven33-groovy security update
Notes
Topic
An update for rh-maven33-groovy is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java.
Security Fix(es):
* Multiple object deserialization flaws were discovered in the MethodClosure class in Groovy. A specially crafted serialized object deserialized by an application using the Groovy library could cause the application to execute arbitrary code. (CVE-2015-3253, CVE-2016-6814)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rh-maven33-groovy is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java.\n\nSecurity Fix(es):\n\n* Multiple object deserialization flaws were discovered in the MethodClosure class in Groovy. A specially crafted serialized object deserialized by an application using the Groovy library could cause the application to execute arbitrary code. (CVE-2015-3253, CVE-2016-6814)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:2596",
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "external",
"summary": "1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_2596.json"
}
],
"title": "Red Hat Security Advisory: rh-maven33-groovy security update",
"tracking": {
"current_release_date": "2024-11-14T20:54:30+00:00",
"generator": {
"date": "2024-11-14T20:54:30+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2017:2596",
"initial_release_date": "2017-09-05T22:54:05+00:00",
"revision_history": [
{
"date": "2017-09-05T22:54:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2017-09-05T22:54:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T20:54:30+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.4-6.7.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-2.4-7.3.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"product": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"product_id": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy@1.8.9-7.19.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"product": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"product_id": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy@1.8.9-7.19.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"product": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"product_id": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy@1.8.9-7.19.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"product": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"product_id": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy-javadoc@1.8.9-7.19.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"product": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"product_id": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy@1.8.9-7.19.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"product": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"product_id": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-maven33-groovy-javadoc@1.8.9-7.19.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.4-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"relates_to_product_reference": "6Server-RHSCL-2.4-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.4-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"relates_to_product_reference": "6Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"relates_to_product_reference": "6Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.4-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"relates_to_product_reference": "7Server-RHSCL-2.4-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.4-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"relates_to_product_reference": "7Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-0:1.8.9-7.19.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src"
},
"product_reference": "rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-2.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
},
"product_reference": "rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-2.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-3253",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2015-07-16T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1243934"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "groovy: remote execution of untrusted code in class MethodClosure",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-3253"
},
{
"category": "external",
"summary": "RHBZ#1243934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1243934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-3253",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-3253"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3253"
},
{
"category": "external",
"summary": "http://seclists.org/oss-sec/2015/q3/121",
"url": "http://seclists.org/oss-sec/2015/q3/121"
}
],
"release_date": "2015-07-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-05T22:54:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"category": "workaround",
"details": "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.",
"product_ids": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "groovy: remote execution of untrusted code in class MethodClosure"
},
{
"cve": "CVE-2016-6814",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413466"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Groovy: Remote code execution via deserialization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6814"
},
{
"category": "external",
"summary": "RHBZ#1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
}
],
"release_date": "2017-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-09-05T22:54:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4-6.7.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.noarch",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el6.src",
"6Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el6.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4-7.3.Z:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Server-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Server-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.noarch",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-0:1.8.9-7.19.el7.src",
"7Workstation-RHSCL-2.4:rh-maven33-groovy-javadoc-0:1.8.9-7.19.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Groovy: Remote code execution via deserialization"
}
]
}
RHSA-2017:0868
Vulnerability from csaf_redhat - Published: 2017-04-03 21:02 - Updated: 2025-11-21 18:00Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.
Security Fix(es):
* It was reported that Elasticsearch had vulnerabilities in the Groovy scripting engine, which allow an attacker to construct scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. (CVE-2015-1427)
* It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)
* It was found that Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. (CVE-2012-5783)
* It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter. (CVE-2016-1000229)
* A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. (CVE-2016-6812)
* Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk. (CVE-2016-8739)
* A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there's no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data. (CVE-2016-9177)
* It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack. (CVE-2017-3159)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Fuse and Red Hat JBoss A-MQ.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3. It includes bug fixes and enhancements, which are documented in the readme.txt file included with the patch files.\n\nSecurity Fix(es):\n\n* It was reported that Elasticsearch had vulnerabilities in the Groovy scripting engine, which allow an attacker to construct scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM. (CVE-2015-1427)\n\n* It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)\n\n* It was found that Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. (CVE-2012-5783)\n\n* It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter. (CVE-2016-1000229)\n\n* A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client. (CVE-2016-6812)\n\n* Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk. (CVE-2016-8739)\n\n* A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there\u0027s no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data. (CVE-2016-9177)\n\n* It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack. (CVE-2017-3159)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2017:0868",
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.fuse\u0026version=6.3"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=securityPatches\u0026product=jboss.amq.broker\u0026version=6.3.0"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/",
"url": "https://access.redhat.com/documentation/en/red-hat-jboss-fuse/"
},
{
"category": "external",
"summary": "873317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
},
{
"category": "external",
"summary": "1191969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1191969"
},
{
"category": "external",
"summary": "1360275",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1360275"
},
{
"category": "external",
"summary": "1393607",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1393607"
},
{
"category": "external",
"summary": "1406810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406810"
},
{
"category": "external",
"summary": "1406811",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406811"
},
{
"category": "external",
"summary": "1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "1420834",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420834"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0868.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update",
"tracking": {
"current_release_date": "2025-11-21T18:00:04+00:00",
"generator": {
"date": "2025-11-21T18:00:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2017:0868",
"initial_release_date": "2017-04-03T21:02:28+00:00",
"revision_history": [
{
"date": "2017-04-03T21:02:28+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-07-02T15:51:20+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:00:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss A-MQ 6.3",
"product": {
"name": "Red Hat JBoss A-MQ 6.3",
"product_id": "Red Hat JBoss A-MQ 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_amq:6.3"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Fuse 6.3",
"product": {
"name": "Red Hat JBoss Fuse 6.3",
"product_id": "Red Hat JBoss Fuse 6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_fuse:6.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Fuse"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-5783",
"discovery_date": "2012-11-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "873317"
}
],
"notes": [
{
"category": "description",
"text": "It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject\u0027s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5783"
},
{
"category": "external",
"summary": "RHBZ#873317",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=873317"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5783",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5783"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5783"
}
],
"release_date": "2012-10-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name"
},
{
"cve": "CVE-2015-1427",
"discovery_date": "2015-02-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1191969"
}
],
"notes": [
{
"category": "description",
"text": "It was reported that Elasticsearch versions 1.3.0-1.3.7 and 1.4.0-1.4.2 have vulnerabilities in the Groovy scripting engine. The vulnerability allows an attacker to construct Groovy scripts that escape the sandbox and execute shell commands as the user running the Elasticsearch Java VM.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "elasticsearch: remote code execution via Groovy sandbox bypass",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-1427"
},
{
"category": "external",
"summary": "RHBZ#1191969",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1191969"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-1427",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-1427"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-1427",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-1427"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2015-02-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2022-03-25T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "elasticsearch: remote code execution via Groovy sandbox bypass"
},
{
"cve": "CVE-2015-7559",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2015-07-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1293972"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the Apache ActiveMQ client exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ActiveMQ: DoS in client via shutdown command",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2015-7559"
},
{
"category": "external",
"summary": "RHBZ#1293972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1293972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2015-7559",
"url": "https://www.cve.org/CVERecord?id=CVE-2015-7559"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2015-7559",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7559"
}
],
"release_date": "2017-04-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "ActiveMQ: DoS in client via shutdown command"
},
{
"cve": "CVE-2016-6812",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-12-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1406810"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was found in FormattedServiceListWriter in Apache CXF HTTP transport module that could allow an attacker to inject unexpected matrix parameters into the request URL. On a successful injection these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-cxf: XSS in Apache CXF FormattedServiceListWriter",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6812"
},
{
"category": "external",
"summary": "RHBZ#1406810",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406810"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6812",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6812"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6812",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6812"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc?version=1\u0026modificationDate=1482164360602\u0026api=v2",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2016-6812.txt.asc?version=1\u0026modificationDate=1482164360602\u0026api=v2"
}
],
"release_date": "2016-12-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-cxf: XSS in Apache CXF FormattedServiceListWriter"
},
{
"cve": "CVE-2016-6814",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-01-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1413466"
}
],
"notes": [
{
"category": "description",
"text": "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Groovy: Remote code execution via deserialization",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-6814"
},
{
"category": "external",
"summary": "RHBZ#1413466",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
}
],
"release_date": "2017-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Groovy: Remote code execution via deserialization"
},
{
"cve": "CVE-2016-8739",
"cwe": {
"id": "CWE-611",
"name": "Improper Restriction of XML External Entity Reference"
},
"discovery_date": "2016-12-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1406811"
}
],
"notes": [
{
"category": "description",
"text": "Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. It was found that this represents a major XXE risk.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-8739"
},
{
"category": "external",
"summary": "RHBZ#1406811",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1406811"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-8739",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8739"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-8739",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8739"
},
{
"category": "external",
"summary": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc?version=1\u0026modificationDate=1482164360575\u0026api=v2",
"url": "http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc?version=1\u0026modificationDate=1482164360575\u0026api=v2"
}
],
"release_date": "2016-12-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "apache-cxf: Atom entity provider of Apache CXF JAX-RS is vulnerable to XXE"
},
{
"cve": "CVE-2016-9177",
"discovery_date": "2016-11-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1393607"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal issue was found in Spark version 2.5 and potentially earlier versions. The vulnerability resides in the functionality to serve static files where there\u0027s no protection against directory traversal attacks. This could allow attackers access to private files including sensitive data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Spark: Directory traversal vulnerability in version 2.5",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-9177"
},
{
"category": "external",
"summary": "RHBZ#1393607",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1393607"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-9177",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-9177"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-9177",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-9177"
},
{
"category": "external",
"summary": "http://seclists.org/fulldisclosure/2016/Nov/13",
"url": "http://seclists.org/fulldisclosure/2016/Nov/13"
}
],
"release_date": "2016-11-04T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Spark: Directory traversal vulnerability in version 2.5"
},
{
"cve": "CVE-2016-1000229",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2016-07-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1360275"
}
],
"notes": [
{
"category": "description",
"text": "It was found that swagger-ui contains a cross site scripting (XSS) vulnerability in the key names in the JSON document. An attacker could use this flaw to supply a key name with script tags which could cause arbitrary code execution. Additionally it is possible to load the arbitrary JSON files remotely via the URL query-string parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "swagger-ui: cross-site scripting in key names",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000229"
},
{
"category": "external",
"summary": "RHBZ#1360275",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1360275"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000229",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000229"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000229",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000229"
},
{
"category": "external",
"summary": "https://nodesecurity.io/advisories/126",
"url": "https://nodesecurity.io/advisories/126"
}
],
"release_date": "2016-07-21T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "swagger-ui: cross-site scripting in key names"
},
{
"cve": "CVE-2017-3159",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2017-02-08T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1420834"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the camel-snakeyaml component is exploitable for code execution. An attacker could use this vulnerability to send specially crafted payload to a camel-snakeyaml endpoint and causing a remote code execution attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "camel-snakeyaml: Unmarshalling operation is vulnerable to RCE",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2017-3159"
},
{
"category": "external",
"summary": "RHBZ#1420834",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1420834"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2017-3159",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-3159"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-3159",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3159"
},
{
"category": "external",
"summary": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc",
"url": "http://camel.apache.org/security-advisories.data/CVE-2017-3159.txt.asc"
}
],
"release_date": "2016-12-08T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2017-04-03T21:02:28+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application Server process before installing this update; after installing the update, restart the server by starting the JBoss Application Server process.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat JBoss A-MQ 6.3",
"Red Hat JBoss Fuse 6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "camel-snakeyaml: Unmarshalling operation is vulnerable to RCE"
}
]
}
CERTFR-2017-AVI-370
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Oracle Database Server. Elles permettent à un attaquant de provoquer un déni de service, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | Database Server | Java VM versions 11.2.0.4, 12.1.0.2 et 12.2.0.1 | ||
| Oracle | Database Server | RDBMS Security versions 11.2.0.4, 12.1.0.2 et 12.2.0.1 | ||
| Oracle | Database Server | WLM (Apache Tomcat) version 12.2.0.1 | ||
| Oracle | Database Server | Spatial (Apache Groovy) version 12.2.0.1 | ||
| Oracle | Database Server | XML Database versions 11.2.0.4 et 12.1.0.2 | ||
| Oracle | Database Server | Core RDBMS versions 11.2.0.4, 12.1.0.2 et 12.2.0.1 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Java VM versions 11.2.0.4, 12.1.0.2 et 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "RDBMS Security versions 11.2.0.4, 12.1.0.2 et 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "WLM (Apache Tomcat) version 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Spatial (Apache Groovy) version 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "XML Database versions 11.2.0.4 et 12.1.0.2",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Core RDBMS versions 11.2.0.4, 12.1.0.2 et 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2016-8735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8735"
},
{
"name": "CVE-2017-10261",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10261"
},
{
"name": "CVE-2017-10321",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10321"
},
{
"name": "CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"name": "CVE-2017-10190",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10190"
},
{
"name": "CVE-2017-10292",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10292"
}
],
"links": [],
"reference": "CERTFR-2017-AVI-370",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2017-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service,\nune atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2017-3236626 du 18 octobre 2017",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixDB"
}
]
}
CERTFR-2017-AVI-370
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Oracle Database Server. Elles permettent à un attaquant de provoquer un déni de service, une atteinte à l'intégrité des données et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | Database Server | Java VM versions 11.2.0.4, 12.1.0.2 et 12.2.0.1 | ||
| Oracle | Database Server | RDBMS Security versions 11.2.0.4, 12.1.0.2 et 12.2.0.1 | ||
| Oracle | Database Server | WLM (Apache Tomcat) version 12.2.0.1 | ||
| Oracle | Database Server | Spatial (Apache Groovy) version 12.2.0.1 | ||
| Oracle | Database Server | XML Database versions 11.2.0.4 et 12.1.0.2 | ||
| Oracle | Database Server | Core RDBMS versions 11.2.0.4, 12.1.0.2 et 12.2.0.1 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Java VM versions 11.2.0.4, 12.1.0.2 et 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "RDBMS Security versions 11.2.0.4, 12.1.0.2 et 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "WLM (Apache Tomcat) version 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Spatial (Apache Groovy) version 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "XML Database versions 11.2.0.4 et 12.1.0.2",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Core RDBMS versions 11.2.0.4, 12.1.0.2 et 12.2.0.1",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2016-8735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8735"
},
{
"name": "CVE-2017-10261",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10261"
},
{
"name": "CVE-2017-10321",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10321"
},
{
"name": "CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"name": "CVE-2017-10190",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10190"
},
{
"name": "CVE-2017-10292",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10292"
}
],
"links": [],
"reference": "CERTFR-2017-AVI-370",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2017-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle Database\nServer. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service,\nune atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle Database Server",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuoct2017-3236626 du 18 octobre 2017",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixDB"
}
]
}
CERTFR-2017-AVI-371
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Oracle VM Server pour x86 et Oracle Linux. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une exécution de code arbitraire et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle Linux sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle VM Server pour x86 versions 3.3 et 3.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2016-8735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8735"
},
{
"name": "CVE-2017-10261",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10261"
},
{
"name": "CVE-2017-10321",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10321"
},
{
"name": "CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"name": "CVE-2017-10190",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10190"
},
{
"name": "CVE-2017-10292",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10292"
}
],
"links": [],
"reference": "CERTFR-2017-AVI-371",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2017-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle VM Server\npour x86 et Oracle Linux. Certaines d\u0027entre elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une\nex\u00e9cution de code arbitraire et un d\u00e9ni de service \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle VM Server pour x86 et Oracle Linux",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle linuxbulletinoct2017 du 18 octobre 2017",
"url": "https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2017-4005894.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle ovmbulletinoct2017 du 18 octobre 2017",
"url": "https://www.oracle.com/technetwork/topics/security/ovmbulletinoct2017-4005895.html"
}
]
}
CERTFR-2017-AVI-371
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans Oracle VM Server pour x86 et Oracle Linux. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une exécution de code arbitraire et un déni de service à distance.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle Linux sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle VM Server pour x86 versions 3.3 et 3.4",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2016-8735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8735"
},
{
"name": "CVE-2017-10261",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10261"
},
{
"name": "CVE-2017-10321",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10321"
},
{
"name": "CVE-2016-6814",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-6814"
},
{
"name": "CVE-2017-10190",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10190"
},
{
"name": "CVE-2017-10292",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-10292"
}
],
"links": [],
"reference": "CERTFR-2017-AVI-371",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2017-10-18T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "D\u00e9ni de service"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Oracle VM Server\npour x86 et Oracle Linux. Certaines d\u0027entre elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une\nex\u00e9cution de code arbitraire et un d\u00e9ni de service \u00e0 distance.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans Oracle VM Server pour x86 et Oracle Linux",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle linuxbulletinoct2017 du 18 octobre 2017",
"url": "https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2017-4005894.html"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle ovmbulletinoct2017 du 18 octobre 2017",
"url": "https://www.oracle.com/technetwork/topics/security/ovmbulletinoct2017-4005895.html"
}
]
}
FKIE_CVE-2016-6814
Vulnerability from fkie_nvd - Published: 2018-01-18 18:29 - Updated: 2024-11-21 02:56
Severity ?
Summary
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E | Patch, Vendor Advisory | |
| cve@mitre.org | http://rhn.redhat.com/errata/RHSA-2017-0272.html | Broken Link | |
| cve@mitre.org | http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html | ||
| cve@mitre.org | http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html | ||
| cve@mitre.org | http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html | ||
| cve@mitre.org | http://www.securityfocus.com/bid/95429 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://www.securitytracker.com/id/1039600 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://access.redhat.com/errata/RHSA-2017:0868 | Broken Link | |
| cve@mitre.org | https://access.redhat.com/errata/RHSA-2017:2486 | Third Party Advisory | |
| cve@mitre.org | https://access.redhat.com/errata/RHSA-2017:2596 | Third Party Advisory | |
| cve@mitre.org | https://security.gentoo.org/glsa/202003-01 | ||
| cve@mitre.org | https://www.oracle.com/security-alerts/cpujan2020.html | ||
| cve@mitre.org | https://www.oracle.com/security-alerts/cpujul2020.html | ||
| cve@mitre.org | https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html | ||
| cve@mitre.org | https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | ||
| cve@mitre.org | https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://rhn.redhat.com/errata/RHSA-2017-0272.html | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95429 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securitytracker.com/id/1039600 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2017:0868 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2017:2486 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://access.redhat.com/errata/RHSA-2017:2596 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202003-01 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpujan2020.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/security-alerts/cpujul2020.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EB4409D-39D4-4F6B-AD3E-2E9B0997B6A1",
"versionEndIncluding": "2.4.3",
"versionStartIncluding": "1.7.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C8F237F9-F70E-4815-BA42-5B5E8152965C",
"versionEndIncluding": "2.4.7",
"versionStartIncluding": "2.4.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability."
},
{
"lang": "es",
"value": "Cuando una aplicaci\u00f3n con versiones de Codehaus no soportadas de Groovy desde la versi\u00f3n 1.7.0 hasta la 2.4.3 o Apache Groovy desde la versi\u00f3n 2.4.4 hasta la 2.4.7 en classpath usa mecanismos est\u00e1ndar de serializaci\u00f3n de Java (por ejemplo, para comunicarse entre servidores o almacenar datos locales), un atacante pudo preparar un objeto especialmente serializado que ejecutar\u00e1 c\u00f3digo directamente al ser deserializado. Todas las aplicaciones que dependen de la serializaci\u00f3n y no a\u00edslan el c\u00f3digo que deserializa objetos estaban sujetos a esta vulnerabilidad."
}
],
"id": "CVE-2016-6814",
"lastModified": "2024-11-21T02:56:53.077",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-01-18T18:29:00.233",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95429"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1039600"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/202003-01"
},
{
"source": "cve@mitre.org",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95429"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1039600"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/202003-01"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CNVD-2017-00746
Vulnerability from cnvd - Published: 2017-01-24
VLAI Severity ?
Title
Apache Groovy远程代码执行漏洞
Description
Apache Groovy是美国阿帕奇(Apache)软件基金会的一种基于JVM的敏捷开发语言,它结合了Python、Ruby和Smalltalk的许多强大的特性。
Apache Groovy2.4.8之前的版本存在远程代码执行漏洞。攻击者可利用该漏洞在用户运行的受影响应用程序上下文中执行任意代码,可造成拒绝服务。
Severity
高
Patch Name
Apache Groovy远程代码执行漏洞的补丁
Patch Description
Apache Groovy是美国阿帕奇(Apache)软件基金会的一种基于JVM的敏捷开发语言,它结合了Python、Ruby和Smalltalk的许多强大的特性。
Apache Groovy2.4.8之前的版本存在远程代码执行漏洞。攻击者可利用该漏洞在用户运行的受影响应用程序上下文中执行任意代码,可造成拒绝服务。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: http://groovy-lang.org/security.html
Reference
http://www.securityfocus.com/bid/95429
Impacted products
| Name | Apache Groovy <=2.4.7 |
|---|
{
"bids": {
"bid": {
"bidNumber": "95429"
}
},
"cves": {
"cve": {
"cveNumber": "CVE-2016-6814"
}
},
"description": "Apache Groovy\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u79cd\u57fa\u4e8eJVM\u7684\u654f\u6377\u5f00\u53d1\u8bed\u8a00\uff0c\u5b83\u7ed3\u5408\u4e86Python\u3001Ruby\u548cSmalltalk\u7684\u8bb8\u591a\u5f3a\u5927\u7684\u7279\u6027\u3002\r\n\r\nApache Groovy2.4.8\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u8fd0\u884c\u7684\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u53ef\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
"discovererName": "Sam Thomas",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttp://groovy-lang.org/security.html",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2017-00746",
"openTime": "2017-01-24",
"patchDescription": "Apache Groovy\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u7684\u4e00\u79cd\u57fa\u4e8eJVM\u7684\u654f\u6377\u5f00\u53d1\u8bed\u8a00\uff0c\u5b83\u7ed3\u5408\u4e86Python\u3001Ruby\u548cSmalltalk\u7684\u8bb8\u591a\u5f3a\u5927\u7684\u7279\u6027\u3002\r\n\r\nApache Groovy2.4.8\u4e4b\u524d\u7684\u7248\u672c\u5b58\u5728\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u8fd0\u884c\u7684\u53d7\u5f71\u54cd\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u4e2d\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u53ef\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Apache Groovy\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": "Apache Groovy \u003c=2.4.7"
},
"referenceLink": "http://www.securityfocus.com/bid/95429",
"serverity": "\u9ad8",
"submitTime": "2017-01-18",
"title": "Apache Groovy\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e"
}
GHSA-XPHJ-M9CC-8FMQ
Vulnerability from github – Published: 2022-05-13 01:25 – Updated: 2024-10-17 16:19
VLAI?
Summary
Deserialization of Untrusted Data in Groovy
Details
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Severity ?
9.8 (Critical)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.groovy:groovy"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "2.4.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.4.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.groovy:groovy-all"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "2.4.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2016-6814"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": true,
"github_reviewed_at": "2022-07-06T19:46:12Z",
"nvd_published_at": "2018-01-18T18:29:00Z",
"severity": "CRITICAL"
},
"details": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.",
"id": "GHSA-xphj-m9cc-8fmq",
"modified": "2024-10-17T16:19:08Z",
"published": "2022-05-13T01:25:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-6814"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-01"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"type": "WEB",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"type": "WEB",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"type": "WEB",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Deserialization of Untrusted Data in Groovy"
}
GSD-2016-6814
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2016-6814",
"description": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.",
"id": "GSD-2016-6814",
"references": [
"https://access.redhat.com/errata/RHSA-2017:2596",
"https://access.redhat.com/errata/RHSA-2017:2486",
"https://access.redhat.com/errata/RHSA-2017:0868",
"https://access.redhat.com/errata/RHSA-2017:0272",
"https://advisories.mageia.org/CVE-2016-6814.html",
"https://linux.oracle.com/cve/CVE-2016-6814.html",
"https://ubuntu.com/security/CVE-2016-6814"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2016-6814"
],
"details": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.",
"id": "GSD-2016-6814",
"modified": "2023-12-13T01:21:23.015691Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_PUBLIC": "2018-01-15T00:00:00",
"ID": "CVE-2016-6814",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2017:2596",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"name": "RHSA-2017:0868",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"name": "RHSA-2017:2486",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"name": "RHSA-2017:0272",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"
},
{
"name": "95429",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95429"
},
{
"name": "1039600",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1039600"
},
{
"name": "GLSA-202003-01",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-01"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
"refsource": "CONFIRM",
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"refsource": "MISC",
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E",
"refsource": "MISC",
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[1.7.0,2.4.3]",
"affected_versions": "All versions starting from 1.7.0 up to 2.4.3",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-78",
"CWE-937"
],
"date": "2022-07-06",
"description": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.",
"fixed_versions": [
"2.4.4"
],
"identifier": "CVE-2016-6814",
"identifiers": [
"GHSA-xphj-m9cc-8fmq",
"CVE-2016-6814"
],
"not_impacted": "All versions before 1.7.0, all versions after 2.4.3",
"package_slug": "maven/org.codehaus.groovy/groovy",
"pubdate": "2022-05-13",
"solution": "Upgrade to version 2.4.4 or above.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2016-6814",
"https://access.redhat.com/errata/RHSA-2017:0868",
"https://access.redhat.com/errata/RHSA-2017:2486",
"https://access.redhat.com/errata/RHSA-2017:2596",
"https://security.gentoo.org/glsa/202003-01",
"https://www.oracle.com/security-alerts/cpujan2020.html",
"https://www.oracle.com/security-alerts/cpujul2020.html",
"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E",
"http://rhn.redhat.com/errata/RHSA-2017-0272.html",
"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
"https://github.com/advisories/GHSA-xphj-m9cc-8fmq"
],
"uuid": "4e63019e-4733-4a18-90cb-8ef8687f78cd"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.7",
"versionStartIncluding": "2.4.4",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:groovy:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.3",
"versionStartIncluding": "1.7.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-6814"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E",
"refsource": "MISC",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://mail-archives.apache.org/mod_mbox/www-announce/201701.mbox/%3CCADRx3PMZ2hBCGDTY35zYXFGaDnjAs0tc5-upaVs6QN2sYUejyA%40mail.gmail.com%3E"
},
{
"name": "RHSA-2017:2596",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2596"
},
{
"name": "RHSA-2017:2486",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2486"
},
{
"name": "RHSA-2017:0868",
"refsource": "REDHAT",
"tags": [
"Broken Link"
],
"url": "https://access.redhat.com/errata/RHSA-2017:0868"
},
{
"name": "1039600",
"refsource": "SECTRACK",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securitytracker.com/id/1039600"
},
{
"name": "95429",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/95429"
},
{
"name": "RHSA-2017:0272",
"refsource": "REDHAT",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2017-0272.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"
},
{
"name": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html",
"refsource": "CONFIRM",
"tags": [],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
},
{
"name": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "GLSA-202003-01",
"refsource": "GENTOO",
"tags": [],
"url": "https://security.gentoo.org/glsa/202003-01"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2020-07-15T03:15Z",
"publishedDate": "2018-01-18T18:29Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…