[MGNLUI-4790] Vaadin vulnerability regarding object serialisation Created: 13/Nov/18 Updated: 21/Nov/18 Resolved: 13/Nov/18 |
|
| Status: | Closed |
| Project: | Magnolia UI |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 6.0 |
| Type: | Bug | Priority: | Neutral |
| Reporter: | Ilgun Ilgun | Assignee: | Ilgun Ilgun |
| Resolution: | Not an issue | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
| Release notes required: |
Yes
|
| Documentation update required: |
Yes
|
| Date of First Response: | |
| Epic Link: | 6.0 requisite |
| Sprint: | Basel 160 |
| Story Points: | 0.5 |
| Description |
|
Reported by Vaadin
Overview This Security Alert is classified as: ModerateModerate Affected Products Java Deserialization for remote code execution In practice, the attack can be executed by injecting a payload that will be deserialized and will be accessed by the NestedMethodProperty allowing the execution of malicious code. If you are using JMX or RMI together with any affected Vaadin version, you should take a look at the references listed below for handling the situation. The functionality used for the identified chain of deserialization events is no longer included in Vaadin 8 (without the Vaadin 7 compatibility packages) or the Vaadin platform. We still advise users of those products to ensure all access to deserialization facilities is restricted, since we cannot rule out the possibility that a similar attack vector is identified in the future. The vulnerability has been classified as Moderate, due to its limited application. |
| Comments |
| Comment by Mikaël Geljić [ 13/Nov/18 ] |
|