Description of problem: CVE-2016-6814 does not affect JON Directly. However we should take a defence in depth approach by applying the following patch to the Groovy version included with JON 3.3.7 if we do another release. Additional info: Users of older versions of Groovy can apply the following patch to the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java): public class MethodClosure extends Closure { + private void readObject(java.io.ObjectInputStream stream) throws IOException, ClassNotFoundException { + if (ALLOW_RESOLVE) { + stream.defaultReadObject(); + } + throw new UnsupportedOperationException(); + } Ref: http://groovy-lang.org/security.html
Moving to ON_QA as available to test with the following brew build: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=535315 NOTE: jon-server-patch-3.3.0.GA.zip maps to jon-server-3.3.0.GA-update-08.zip whic is JON 3.3.8 ER02 build.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2017-0285.html