CVE-2016-6814
Code Execution vulnerability in groovy (Maven)
What is CVE-2016-6814 About?
This vulnerability affects applications using specific Codehaus and Apache Groovy versions when utilizing standard Java serialization. An attacker can craft a special serialized object that executes arbitrary code upon deserialization. This represents a critical remote code execution flaw that can be exploited with moderate effort.
Affected Software
- org.codehaus.groovy:groovy
- >1.7.0, <2.4.8
- org.codehaus.groovy:groovy-all
- >1.7.0, <2.4.8
Technical Details
Applications that include Codehaus versions of Groovy from 1.7.0 to 2.4.3, or Apache Groovy 2.4.4 to 2.4.7 on their classpath, and which use standard Java serialization mechanisms, are vulnerable. The flaw arises because Groovy's serialization gadgets can be leveraged in a 'gadget chain' attack. An attacker can craft a malicious serialized object that, when deserialized by the vulnerable application, invokes methods that lead to the execution of arbitrary code on the underlying system. This bypasses the typical security context and allows the attacker to execute commands with the privileges of the deserializing application, creating a critical remote code execution vector.
What is the Impact of CVE-2016-6814?
Successful exploitation may allow attackers to execute arbitrary code on the server, gain full control over the affected system, or compromise sensitive data.
What is the Exploitability of CVE-2016-6814?
Exploiting this vulnerability involves crafting a malicious serialized object, which is of moderate complexity once the appropriate 'gadget chain' for Groovy is identified. No authentication is necessary if the application exposes a deserialization endpoint. This is a remote attack, requiring the attacker to send the crafted serialized payload to the vulnerable application instance. The primary prerequisites are the application's use of Groovy and its reliance on Java serialization for untrusted inputs. Systems that communicate between servers using serialization or store local serialized data are at high risk, especially if they do not adequately isolate or validate deserialized objects.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2016-6814?
Available Upgrade Options
- org.codehaus.groovy:groovy-all
- >1.7.0, <2.4.8 → Upgrade to 2.4.8
- org.codehaus.groovy:groovy
- >1.7.0, <2.4.8 → Upgrade to 2.4.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- http://www.securityfocus.com/bid/95429
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.securitytracker.com/id/1039600
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://nvd.nist.gov/vuln/detail/CVE-2016-6814
- http://rhn.redhat.com/errata/RHSA-2017-0272.html
What are Similar Vulnerabilities to CVE-2016-6814?
Similar Vulnerabilities: CVE-2015-7501 , CVE-2017-1000109 , CVE-2019-17558 , CVE-2020-13936 , CVE-2020-17521
