Groovy is vulnerable to a remote execution of arbitrary code when java serialization is used.
Package | dev-java/groovy on all architectures |
---|---|
Affected versions | < 2.4.5 |
Unaffected versions | >= 2.4.5 |
A multi-faceted language for the Java platform
Groovy’s MethodClosure class, in runtime/MethodClosure.java, is vulnerable to a crafted serialized object.
Remote attackers could potentially execute arbitrary code, or cause Denial of Service condition
A workaround exists by using a custom security policy file utilizing the standard Java security manager, or do not rely on serialization to communicate remotely.
All Groovy users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-java/groovy-2.4.5"
Release date
October 06, 2016
Latest revision
October 06, 2016: 1
Severity
normal
Exploitable
remote
Bugzilla entries