Bug 1188569 (CVE-2021-32751)

Summary: VUL-0: CVE-2021-32751: gradle: `application` plugin and the `gradlew` script are both vulnerable to arbitrary code execution
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: package coldpool <coldpool>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: amajer, amehmood, cathy.hu, fstrba, johannes.hahn, malbu, mvetter, pgajdos, pmonrealgonzalez, smash_bz, stoyan.manolov, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/304780/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-32751:4.8:(AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2021-07-21 13:46:23 UTC 
CVE-2021-32751

Gradle is a build tool with a focus on build automation. In versions prior to
7.2, start scripts generated by the `application` plugin and the `gradlew`
script are both vulnerable to arbitrary code execution when an attacker is able
to change environment variables for the user running the script. This may impact
those who use `gradlew` on Unix-like systems or use the scripts generated by
Gradle in thieir application on Unix-like systems. For this vulnerability to be
exploitable, an attacker needs to be able to set the value of particular
environment variables and have those environment variables be seen by the
vulnerable scripts. This issue has been patched in Gradle 7.2 by removing the
use of `eval` and requiring the use of the `bash` shell.

There are a few workarounds available. For CI/CD systems using the Gradle build
tool, one may ensure that untrusted users are unable to change environment
variables for the user that executes `gradlew`. If one is unable to upgrade to
Gradle 7.2, one may generate a new `gradlew` script with Gradle 7.2 and use it
for older versions of Gradle.  Fpplications using start scripts generated by
Gradle, one may ensure that untrusted users are unable to change environment
variables for the user that executes the start script. A vulnerable start script
could be manually patched to remove the use of `eval` or the use of environment
variables that affect the application's command-line. If the application is
simple enough, one may be able to avoid the use of the start scripts by running
the application directly with Java command.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32751
https://github.com/gradle/gradle/security/advisories/GHSA-6j2p-252f-7mw8
https://mywiki.wooledge.org/BashFAQ/048
https://medium.com/dot-debug/the-perils-of-bash-eval-cc5f9e309cae
Comment 1 Hu 2022-08-16 13:26:04 UTC 
Reassigning to coldpool, could you please take a look into SUSE:SLE-15-SP2:Update? Thanks!
Comment 2 Petr Gajdos 2022-08-23 10:52:44 UTC 
15sp2/gradle has the same version as Factory/gradle so in case 15sp2/gradle is affecte then Factory/gradle has the issue as well.

Adding maintainers of Java:packages, the package itself does not have a maintainer defined.