Candidate: CVE-2016-6814
PublicDate: 2018-01-18 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6814
 http://www.openwall.com/lists/oss-security/2017/01/14/3
Description:
 When an application with unsupported Codehaus versions of Groovy from 1.7.0
 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java
 serialization mechanisms, e.g. to communicate between servers or to store
 local data, it was possible for an attacker to bake a special serialized
 object that will execute code directly when deserialized. All applications
 which rely on serialization and do not isolate the code which deserializes
 objects were subject to this vulnerability.
Ubuntu-Description:
 It was discovered that Apache Groovy incorrectly handled incorrectly handled
 serialization mechanisms. An attacker could possibly use this issue to execute
 arbitrary code.
Notes:
 ebarretto> groovy in Xenial is currently FTBFS. Also there's no more support
 ebarretto> from upstream to that version (1.8.6)
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851408
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_groovy:
upstream_groovy: released (2.4.8-1)
precise_groovy: ignored (reached end-of-life)
precise/esm_groovy: DNE (precise was needed)
trusty_groovy: ignored (reached end-of-life)
trusty/esm_groovy: DNE (trusty was needed)
vivid/stable-phone-overlay_groovy: DNE
vivid/ubuntu-core_groovy: DNE
xenial_groovy: ignored (end of standard support, was needed)
yakkety_groovy: ignored (reached end-of-life)
zesty_groovy: not-affected (2.4.8-1)
artful_groovy: not-affected (2.4.8-1)
bionic_groovy: not-affected (2.4.8-1)
cosmic_groovy: not-affected (2.4.8-1)
disco_groovy: not-affected (2.4.8-1)
eoan_groovy: not-affected (2.4.8-1)
focal_groovy: not-affected (2.4.8-1)
groovy_groovy: not-affected (2.4.8-1)
hirsute_groovy: not-affected (2.4.8-1)
impish_groovy: not-affected (2.4.8-1)
jammy_groovy: not-affected (2.4.8-1)
devel_groovy: not-affected (2.4.8-1)

Patches_groovy2:
upstream_groovy2: needs-triage
precise_groovy2: DNE
precise/esm_groovy2: DNE
trusty_groovy2: DNE
trusty/esm_groovy2: DNE
vivid/stable-phone-overlay_groovy2: DNE
vivid/ubuntu-core_groovy2: DNE
xenial_groovy2: ignored (end of standard support, was needed)
yakkety_groovy2: DNE
zesty_groovy2: DNE
artful_groovy2: DNE
bionic_groovy2: DNE
cosmic_groovy2: DNE
disco_groovy2: DNE
eoan_groovy2: DNE
focal_groovy2: DNE
groovy_groovy2: DNE
hirsute_groovy2: DNE
impish_groovy2: DNE
jammy_groovy2: DNE
devel_groovy2: DNE