groovy security update

2017-08-3118:58:56

CentOS Project

lists.centos.org

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.037 Low

EPSS

Percentile

91.6%

JSON

CentOS Errata and Security Advisory CESA-2017:2486

Groovy is an agile and dynamic language for the Java Virtual Machine, built upon Java with features inspired by languages like Python, Ruby, and Smalltalk. It seamlessly integrates with all existing Java objects and libraries and compiles straight to Java bytecode so you can use it anywhere you can use Java.

Security Fix(es):

It was found that a flaw in Apache groovy library allows remote code execution wherever deserialization occurs in the application. It is possible for an attacker to craft a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability. (CVE-2016-6814)

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-cr-announce/2017-August/030962.html

Affected packages:
groovy
groovy-javadoc

Upstream details at:
https://access.redhat.com/errata/RHSA-2017:2486

OSVersionArchitecturePackageVersionFilename
CentOS7noarchgroovy< 1.8.9-8.el7_4groovy-1.8.9-8.el7_4.noarch.rpm
CentOS7noarchgroovy-javadoc< 1.8.9-8.el7_4groovy-javadoc-1.8.9-8.el7_4.noarch.rpm