You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@groovy.apache.org by "Paul King (Jira)" <ji...@apache.org> on 2021/03/01 22:24:00 UTC
[jira] [Deleted] (GROOVY-9959) Disclosing a Security Vulnerability
in Groovy 3.0.4
[ https://issues.apache.org/jira/browse/GROOVY-9959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Paul King deleted GROOVY-9959:
------------------------------
> Disclosing a Security Vulnerability in Groovy 3.0.4
> ---------------------------------------------------
>
> Key: GROOVY-9959
> URL: https://issues.apache.org/jira/browse/GROOVY-9959
> Project: Groovy
> Issue Type: Bug
> Reporter: Amir Naseredini
> Priority: Major
>
> Hello,
> I hope you are safe and well.
> We want to responsibility disclose to you that in the process of evaluating your product against Spectre attacks during our recent work, our group was able to exploit a program generated with Groovy 3.0.4 and extract secret data from it.
> Spectre exploits the mismatch between architectural and microarchitectural states by mistraining branch predictors, so victim code (called gadget) executes a mispredicted branch and then rolls back the architectural state. in our attack written in C, the victim was written in Groovy and compiled with Groovy 3.0.4.
> We show in our work, that it is possible to develop Spectre attacks that exploit the vulnerability in the program generated with Groovy 3.0.4. In addition, we were not able to find any active mitigations in your product.
> Please feel free to contact us should you have any further questions or concerns. We would also be happy to share the paper with you confidentially.
> Warm regards,
> Amir Naseredini
> PhD candidate at the University of Sussex and visiting researcher at TU Graz
--
This message was sent by Atlassian Jira
(v8.3.4#803005)