-
Bug
-
Resolution: Not an Issue
-
P3
-
None
-
17.0.9
-
x86_64
-
linux
-
Verified
ADDITIONAL SYSTEM INFORMATION :
ubuntu 20.04
openjdk version "1.8.0_392"
OpenJDK Runtime Environment (Temurin)(build 1.8.0_392-b08)
OpenJDK 64-Bit Server VM (Temurin)(build 25.392-b08, mixed mode)
openjdk version "11.0.21" 2023-10-17
OpenJDK Runtime Environment Temurin-11.0.21+9 (build 11.0.21+9)
OpenJDK 64-Bit Server VM Temurin-11.0.21+9 (build 11.0.21+9, mixed mode)
openjdk version "17.0.9" 2023-10-17
OpenJDK Runtime Environment Temurin-17.0.9+9 (build 17.0.9+9)
OpenJDK 64-Bit Server VM Temurin-17.0.9+9 (build 17.0.9+9, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
ysoserial.payloads.Groovy1 calls the getObject() method of the class through a series of passes, where OpenJDK8 reports nothing, OpenJDK11 reports some WARNING, and OpenJDK17 throws a exception.
We uploaded the bytecode files needed to reproduce issue to Google Cloud Drive.
https://drive.google.com/file/d/1LDopfZRAiu1MfXvNFPM_Vda2sINBObYW/view?usp=sharing
REGRESSION : Last worked in version 17.0.9
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
jdk_linux_8_hotspot/bin/java -cp ./lib/groovy-all-2.3.9.jar:./ ysoserial.payloads.Groovy1
jdk_linux_11_hotspot/bin/java --illegal-access=warn -cp ./lib/groovy-all-2.3.9.jar:./ ysoserial.payloads.Groovy1
jdk_linux_17_hotspot/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED -cp ./lib/groovy-all-2.3.9.jar:./ ysoserial.payloads.Groovy1
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
---------------jdk_linux_8_hotspot---------------
nothing
---------------jdk_linux_11_hotspot---------------
nothing
---------------jdk_linux_17_hotspot---------------
nothing
ACTUAL -
---------------jdk_linux_8_hotspot---------------
nothing
---------------jdk_linux_11_hotspot---------------
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 to method java.lang.Object.finalize()
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 to method java.lang.Object.clone()
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 to method java.lang.Object.registerNatives()
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
---------------jdk_linux_17_hotspot---------------
Exception in thread "main" BUG! UNCAUGHT EXCEPTION: java.lang.invoke.MethodHandles$Lookup.<init>(java.lang.Class,int)
at org.codehaus.groovy.vmplugin.v7.Java7.<clinit>(Java7.java:44)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Unknown Source)
at java.base/java.lang.reflect.ReflectAccess.newInstance(Unknown Source)
at java.base/jdk.internal.reflect.ReflectionFactory.newInstance(Unknown Source)
at java.base/java.lang.Class.newInstance(Unknown Source)
at org.codehaus.groovy.vmplugin.VMPluginFactory.createPlugin(VMPluginFactory.java:56)
at org.codehaus.groovy.vmplugin.VMPluginFactory.<clinit>(VMPluginFactory.java:37)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.<init>(MetaClassRegistryImpl.java:99)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.<init>(MetaClassRegistryImpl.java:71)
at groovy.lang.GroovySystem.<clinit>(GroovySystem.java:33)
at org.codehaus.groovy.runtime.InvokerHelper.<clinit>(InvokerHelper.java:61)
at groovy.lang.GroovyObjectSupport.<init>(GroovyObjectSupport.java:32)
at groovy.lang.Closure.<init>(Closure.java:219)
at groovy.lang.Closure.<init>(Closure.java:236)
at groovy.lang.Closure$1.<init>(Closure.java:203)
at groovy.lang.Closure.<clinit>(Closure.java:203)
at ysoserial.payloads.Groovy1.getObject(Unknown Source)
at ysoserial.payloads.Groovy1.getObject(Unknown Source)
at ysoserial.payloads.util.PayloadRunner$1.call(Unknown Source)
at ysoserial.payloads.util.PayloadRunner$1.call(Unknown Source)
at ysoserial.ExecBlockingSecurityManager.wrap(Unknown Source)
at ysoserial.payloads.util.PayloadRunner.run(Unknown Source)
at ysoserial.payloads.Groovy1.main(Unknown Source)
Caused by: java.lang.NoSuchMethodException: java.lang.invoke.MethodHandles$Lookup.<init>(java.lang.Class,int)
at java.base/java.lang.Class.getConstructor0(Unknown Source)
at java.base/java.lang.Class.getDeclaredConstructor(Unknown Source)
at org.codehaus.groovy.vmplugin.v7.Java7.<clinit>(Java7.java:42)
... 25 more
FREQUENCY : always
ubuntu 20.04
openjdk version "1.8.0_392"
OpenJDK Runtime Environment (Temurin)(build 1.8.0_392-b08)
OpenJDK 64-Bit Server VM (Temurin)(build 25.392-b08, mixed mode)
openjdk version "11.0.21" 2023-10-17
OpenJDK Runtime Environment Temurin-11.0.21+9 (build 11.0.21+9)
OpenJDK 64-Bit Server VM Temurin-11.0.21+9 (build 11.0.21+9, mixed mode)
openjdk version "17.0.9" 2023-10-17
OpenJDK Runtime Environment Temurin-17.0.9+9 (build 17.0.9+9)
OpenJDK 64-Bit Server VM Temurin-17.0.9+9 (build 17.0.9+9, mixed mode, sharing)
A DESCRIPTION OF THE PROBLEM :
ysoserial.payloads.Groovy1 calls the getObject() method of the class through a series of passes, where OpenJDK8 reports nothing, OpenJDK11 reports some WARNING, and OpenJDK17 throws a exception.
We uploaded the bytecode files needed to reproduce issue to Google Cloud Drive.
https://drive.google.com/file/d/1LDopfZRAiu1MfXvNFPM_Vda2sINBObYW/view?usp=sharing
REGRESSION : Last worked in version 17.0.9
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
jdk_linux_8_hotspot/bin/java -cp ./lib/groovy-all-2.3.9.jar:./ ysoserial.payloads.Groovy1
jdk_linux_11_hotspot/bin/java --illegal-access=warn -cp ./lib/groovy-all-2.3.9.jar:./ ysoserial.payloads.Groovy1
jdk_linux_17_hotspot/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED -cp ./lib/groovy-all-2.3.9.jar:./ ysoserial.payloads.Groovy1
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
---------------jdk_linux_8_hotspot---------------
nothing
---------------jdk_linux_11_hotspot---------------
nothing
---------------jdk_linux_17_hotspot---------------
nothing
ACTUAL -
---------------jdk_linux_8_hotspot---------------
nothing
---------------jdk_linux_11_hotspot---------------
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 to method java.lang.Object.finalize()
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 to method java.lang.Object.clone()
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass$3$1 to method java.lang.Object.registerNatives()
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
---------------jdk_linux_17_hotspot---------------
Exception in thread "main" BUG! UNCAUGHT EXCEPTION: java.lang.invoke.MethodHandles$Lookup.<init>(java.lang.Class,int)
at org.codehaus.groovy.vmplugin.v7.Java7.<clinit>(Java7.java:44)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Unknown Source)
at java.base/java.lang.reflect.ReflectAccess.newInstance(Unknown Source)
at java.base/jdk.internal.reflect.ReflectionFactory.newInstance(Unknown Source)
at java.base/java.lang.Class.newInstance(Unknown Source)
at org.codehaus.groovy.vmplugin.VMPluginFactory.createPlugin(VMPluginFactory.java:56)
at org.codehaus.groovy.vmplugin.VMPluginFactory.<clinit>(VMPluginFactory.java:37)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.<init>(MetaClassRegistryImpl.java:99)
at org.codehaus.groovy.runtime.metaclass.MetaClassRegistryImpl.<init>(MetaClassRegistryImpl.java:71)
at groovy.lang.GroovySystem.<clinit>(GroovySystem.java:33)
at org.codehaus.groovy.runtime.InvokerHelper.<clinit>(InvokerHelper.java:61)
at groovy.lang.GroovyObjectSupport.<init>(GroovyObjectSupport.java:32)
at groovy.lang.Closure.<init>(Closure.java:219)
at groovy.lang.Closure.<init>(Closure.java:236)
at groovy.lang.Closure$1.<init>(Closure.java:203)
at groovy.lang.Closure.<clinit>(Closure.java:203)
at ysoserial.payloads.Groovy1.getObject(Unknown Source)
at ysoserial.payloads.Groovy1.getObject(Unknown Source)
at ysoserial.payloads.util.PayloadRunner$1.call(Unknown Source)
at ysoserial.payloads.util.PayloadRunner$1.call(Unknown Source)
at ysoserial.ExecBlockingSecurityManager.wrap(Unknown Source)
at ysoserial.payloads.util.PayloadRunner.run(Unknown Source)
at ysoserial.payloads.Groovy1.main(Unknown Source)
Caused by: java.lang.NoSuchMethodException: java.lang.invoke.MethodHandles$Lookup.<init>(java.lang.Class,int)
at java.base/java.lang.Class.getConstructor0(Unknown Source)
at java.base/java.lang.Class.getDeclaredConstructor(Unknown Source)
at org.codehaus.groovy.vmplugin.v7.Java7.<clinit>(Java7.java:42)
... 25 more
FREQUENCY : always