Vulnerability CVE-2016-6814

Vulnerability Name:

CVE-2016-6814 (CCN-123944)

Assigned:

2016-08-12

Published:

2017-01-14

Updated:

2020-07-15

Summary:

When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

9.6 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
8.3 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

9.6 Critical (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
8.3 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-502

Vulnerability Consequences:

Gain Access

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:groovy:*:*:*:*:*:*:*:* (Version >= 1.7.0 and <= 2.4.3)

OR cpe:/a:apache:groovy:*:*:*:*:*:*:*:* (Version >= 2.4.4 and <= 2.4.7)

Configuration 2:

cpe:/o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:groovy:*:*:*:*:*:*:*:*

AND

cpe:/a:oracle:retail_integration_bus:13.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:jdeveloper:12.2.1.2.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_a-mq:6.3:*:*:*:*:*:*:*

OR cpe:/a:redhat:jboss_fuse:6.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:enterprise_manager_ops_center:12.3.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:10.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:15.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:9.13:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_unifier:9.14:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:1.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:14.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:15.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:16.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_convenience_and_fuel_pos_software:2.1.132:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:13.2.9:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:14.0.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:14.1.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:15.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_store_inventory_management:16.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_plm_framework:9.3.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_plm_framework:9.3.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:database_server:12.2.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_allocation:13.3.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_allocation:14.0.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_allocation:14.1.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_allocation:15.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_allocation:16.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:utilities_framework:4.3.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_plm_mcad_connector:3.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_plm_mcad_connector:3.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_product_lifecycle_management_framework:9.3.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:agile_plm_framework:9.3.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_integration_bus:13.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:webcenter_sites:12.2.1.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_integration_bus:13.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_integration_bus:12.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_integration_bus:14.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_integration_bus:14.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_integration_bus:15.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_integration_bus:16.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:big_data_spatial_and_graph:2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.cosmic:def:201668140000000	V	CVE-2016-6814 on Ubuntu 18.10 (cosmic) - medium.	2018-01-18
oval:com.ubuntu.bionic:def:201668140000000	V	CVE-2016-6814 on Ubuntu 18.04 LTS (bionic) - medium.	2018-01-18
oval:com.ubuntu.artful:def:20166814000	V	CVE-2016-6814 on Ubuntu 17.10 (artful) - medium.	2018-01-18
oval:com.ubuntu.trusty:def:20166814000	V	CVE-2016-6814 on Ubuntu 14.04 LTS (trusty) - medium.	2018-01-18
oval:com.ubuntu.xenial:def:201668140000000	V	CVE-2016-6814 on Ubuntu 16.04 LTS (xenial) - medium.	2018-01-18
oval:com.ubuntu.bionic:def:20166814000	V	CVE-2016-6814 on Ubuntu 18.04 LTS (bionic) - medium.	2018-01-18
oval:com.ubuntu.xenial:def:20166814000	V	CVE-2016-6814 on Ubuntu 16.04 LTS (xenial) - medium.	2018-01-18
oval:com.ubuntu.disco:def:201668140000000	V	CVE-2016-6814 on Ubuntu 19.04 (disco) - medium.	2018-01-18
oval:com.ubuntu.cosmic:def:20166814000	V	CVE-2016-6814 on Ubuntu 18.10 (cosmic) - medium.	2018-01-18
oval:com.redhat.rhsa:def:20172486	P	RHSA-2017:2486: groovy security update (Important)	2017-08-17
oval:com.ubuntu.precise:def:20166814000	V	CVE-2016-6814 on Ubuntu 12.04 LTS (precise) - medium.	2016-12-31

BACK