GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Sat Jul 30, 2016 1:26 am Post subject: [ GLSA 201607-17 ] BeanShell |
 |
|
Gentoo Linux Security Advisory
Title: BeanShell: Arbitrary code execution (GLSA 201607-17)
Severity: normal
Exploitable: remote
Date: July 30, 2016
Bug(s): #575482
ID: 201607-17
Synopsis
BeanShell is vulnerable to the remote execution of arbitrary code
via Java serialization or XStream from an untrusted source.
Background
BeanShell is a small, free, embeddable Java source interpreter with
object scripting language features, written in Java.
Affected Packages
Package: dev-java/bsh
Vulnerable: < 2.0_beta6
Unaffected: >= 2.0_beta6
Architectures: All supported architectures
Description
An application that includes BeanShell on the classpath may be
vulnerable if another part of the application uses Java serialization or
XStream to deserialize data from an untrusted source.
Impact
Remote attackers could execute arbitrary code including shell commands.
Workaround
There is no known workaround at this time.
Resolution
All BeanShell users should upgrade to the latest version: | Code: | # emerge --sync
# emerge --ask --verbose --oneshot ">=dev-java/bsh-2.0_beta6"
|
References
BeanShell 2.0b6 Release Information
CVE-2016-2510
|
|
News & Announcements
