Groovy: Arbitrary code execution

2016-10-06T00:00:00
ID GLSA-201610-01
Type gentoo
Reporter Gentoo Foundation
Modified 2016-10-06T00:00:00

Description

Background

A multi-faceted language for the Java platform

Description

Groovy’s MethodClosure class, in runtime/MethodClosure.java, is vulnerable to a crafted serialized object.

Impact

Remote attackers could potentially execute arbitrary code, or cause Denial of Service condition

Workaround

A workaround exists by using a custom security policy file utilizing the standard Java security manager, or do not rely on serialization to communicate remotely.

Resolution

All Groovy users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-java/groovy-2.4.5"