[MGNLUI-4790] Vaadin vulnerability regarding object serialisation Created: 13/Nov/18  Updated: 21/Nov/18  Resolved: 13/Nov/18

Status: Closed
Project: Magnolia UI
Component/s: None
Affects Version/s: None
Fix Version/s: 6.0

Type: Bug Priority: Neutral
Reporter: Ilgun Ilgun Assignee: Ilgun Ilgun
Resolution: Not an issue Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Release notes required:
Yes
Documentation update required:
Yes
Date of First Response:
Epic Link: 6.0 requisite
Sprint: Basel 160
Story Points: 0.5

 Description   

Reported by Vaadin

 

Overview
This is a Security Alert for Java Deserialization in Vaadin (CWE-502: Deserialization of Untrusted Data). We want to thank Kai Ullrich from Code White GmbH, Ulm, Germany for identifying this issue and informing us about it.

This Security Alert is classified as: ModerateModerate

Affected Products
Vaadin Framework 7.7 and older
Vaadin Framework 8+ when using V7 compatibility package
Unaffected Products
Vaadin Framework 8.0.0 and newer
Vaadin 10+
Details
The following part is to shortly explain the vulnerability, but due to its nature, there will be no changes to the framework for this issue, or other similar deserialization issues that might be found in the future.

Java Deserialization for remote code execution
This not an issue in Vaadin itself, as Vaadin doesn't use Java's deserialization functionality. However, if a Vaadin application is running in a Servlet container where JMX or RMI is used, and if an unauthenticated user can trigger the deserialization of a payload crafted by them, and vaadin-server.jar and vaadin-shared.jar are part of the classpath when the deserialization happens, an attacker can achieve an unauthenticated remote code execution.

In practice, the attack can be executed by injecting a payload that will be deserialized and will be accessed by the NestedMethodProperty allowing the execution of malicious code.

If you are using JMX or RMI together with any affected Vaadin version, you should take a look at the references listed below for handling the situation.

The functionality used for the identified chain of deserialization events is no longer included in Vaadin 8 (without the Vaadin 7 compatibility packages) or the Vaadin platform. We still advise users of those products to ensure all access to deserialization facilities is restricted, since we cannot rule out the possibility that a similar attack vector is identified in the future.

The vulnerability has been classified as Moderate, due to its limited application.



 Comments   
Comment by Mikaël Geljić [ 13/Nov/18 ]

It looks like we have zero usage of that NestedMethodProperty (pretty sure I have used it some time ago for an experiment tho); see https://git.magnolia-cms.com/plugins/servlet/search?q=NestedMethodProperty.

It was typically useful for accessing arbitrary sub-bean properties with dot notation, when working with BeanItems/BeanItemContainers—which we don't do much either

Generated at Mon Feb 12 09:20:07 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.