{
  "threat_severity" : "Important",
  "public_date" : "2017-01-14T00:00:00Z",
  "bugzilla" : {
    "description" : "Groovy: Remote code execution via deserialization",
    "id" : "1413466",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1413466"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.6",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.", "It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability." ],
  "statement" : "This issue affects the versions of groovy as shipped with Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship groovy, as such they are not affected by this vulnerability.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-08-17T00:00:00Z",
    "advisory" : "RHSA-2017:2486",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "groovy-0:1.8.9-8.el7_4"
  }, {
    "product_name" : "Red Hat JBoss A-MQ 6.3",
    "release_date" : "2017-04-03T00:00:00Z",
    "advisory" : "RHSA-2017:0868",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.3"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6.3",
    "release_date" : "2017-02-14T00:00:00Z",
    "advisory" : "RHSA-2017:0272",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.3",
    "package" : "groovy",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.3",
    "release_date" : "2017-04-03T00:00:00Z",
    "advisory" : "RHSA-2017:0868",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.3"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-09-05T00:00:00Z",
    "advisory" : "RHSA-2017:2596",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-maven33-groovy-0:1.8.9-7.19.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-09-05T00:00:00Z",
    "advisory" : "RHSA-2017:2596",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "rh-maven33-groovy-0:1.8.9-7.19.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-09-05T00:00:00Z",
    "advisory" : "RHSA-2017:2596",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-maven33-groovy-0:1.8.9-7.19.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-09-05T00:00:00Z",
    "advisory" : "RHSA-2017:2596",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "rh-maven33-groovy-0:1.8.9-7.19.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Virtualization 3",
    "fix_state" : "Will not fix",
    "package_name" : "jasperreports-server-pro",
    "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor"
  }, {
    "product_name" : "Red Hat JBoss A-MQ 6",
    "fix_state" : "Affected",
    "package_name" : "groovy",
    "cpe" : "cpe:/a:redhat:jboss_amq:6"
  }, {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Will not fix",
    "package_name" : "groovy",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Will not fix",
    "package_name" : "groovy",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "camel",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Affected",
    "package_name" : "camel",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Not affected",
    "package_name" : "groovy",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  }, {
    "product_name" : "Red Hat JBoss Portal 5",
    "fix_state" : "Under investigation",
    "package_name" : "groovy",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5",
    "fix_state" : "Will not fix",
    "package_name" : "groovy",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:openshift:2"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "groovy",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-6814\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-6814" ],
  "name" : "CVE-2016-6814",
  "csaw" : false
}