Groovy: Arbitrary code execution — GLSA 201610-01

Groovy is vulnerable to a remote execution of arbitrary code when java serialization is used.

Affected Packages

dev-java/groovy on all architectures
Affected versions < 2.4.5
Unaffected versions >= 2.4.5

Background

A multi-faceted language for the Java platform

Description

Groovy’s MethodClosure class, in runtime/MethodClosure.java, is vulnerable to a crafted serialized object.

Impact

Remote attackers could potentially execute arbitrary code, or cause Denial of Service condition

Workaround

A workaround exists by using a custom security policy file utilizing the standard Java security manager, or do not rely on serialization to communicate remotely.

Resolution

All Groovy users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-java/groovy-2.4.5"
 

References

Release Date
October 06, 2016

Latest Revision
October 06, 2016: 1

Severity
normal

Exploitable
remote

Bugzilla entries