Dear Gracenote Developer:
In the last week of June, Gracenote was advised by an independent security research organization of an issue with Java APIs of Gracenote SDKs. Gracenote has confirmed the security issue and has updated all of the affected products. The security research organization will be releasing details of their study on August 10th, classifying it as CVE-2015-2004.
If your application is serializing GnException then there is a possible security risk that is potentially exploitable. The likelihood is low and Gracenote is not aware of any existing exploits, nor is the security research organization. This issue exists only in the Java layer (including Android Java APIs), only if your application serializes GnException and stores or transmits the serialized object.
Gracenote strongly recommends that you update your products with this hot fix before the August 10th publication. Please note that if you are using the C APIs or non-Java APIs (e.g., C++, Objective C, C#), this issue is not applicable and there is no need for you to upgrade.
We apologize for any inconvenience this may cause your teams. Please be assured Gracenote is committed to providing high-quality secure software to our customers and ensuring any security vulnerabilities are communicated.
If you have additional questions, please contact your Gracenote Global Services and Support Engagement Manager.
Gracenote Developer Support Team