Reported by Vaadin

Overview
This is a Security Alert for Java Deserialization in Vaadin (CWE-502: Deserialization of Untrusted Data). We want to thank Kai Ullrich from Code White GmbH, Ulm, Germany for identifying this issue and informing us about it.

This Security Alert is classified as: ModerateModerate

Affected Products
Vaadin Framework 7.7 and older
Vaadin Framework 8+ when using V7 compatibility package
Unaffected Products
Vaadin Framework 8.0.0 and newer
Vaadin 10+
Details
The following part is to shortly explain the vulnerability, but due to its nature, there will be no changes to the framework for this issue, or other similar deserialization issues that might be found in the future.

Java Deserialization for remote code execution
This not an issue in Vaadin itself, as Vaadin doesn't use Java's deserialization functionality. However, if a Vaadin application is running in a Servlet container where JMX or RMI is used, and if an unauthenticated user can trigger the deserialization of a payload crafted by them, and vaadin-server.jar and vaadin-shared.jar are part of the classpath when the deserialization happens, an attacker can achieve an unauthenticated remote code execution.

In practice, the attack can be executed by injecting a payload that will be deserialized and will be accessed by the NestedMethodProperty allowing the execution of malicious code.

If you are using JMX or RMI together with any affected Vaadin version, you should take a look at the references listed below for handling the situation.

The functionality used for the identified chain of deserialization events is no longer included in Vaadin 8 (without the Vaadin 7 compatibility packages) or the Vaadin platform. We still advise users of those products to ensure all access to deserialization facilities is restricted, since we cannot rule out the possibility that a similar attack vector is identified in the future.

The vulnerability has been classified as Moderate, due to its limited application.