Denial of service in UIDL request handler in Vaadin 7 and 8
Overview
Improper check for exceptional condition in a third party JSON handling library used in com.vaadin:vaadin-shared versions 7.4.0 through 7.7.8 (Vaadin 7.4.0 through 7.7.8), and 8.0.0 through 8.0.5 (Vaadin 8.0.0 through 8.0.5) allows attacker to perform denial of service (DoS) attack via crafted JSON payload.
See CWE-754: Improper Check for Unusual or Exceptional Conditions, CWE-400: Uncontrolled Resource Consumption
Description
Improper check for exceptional condition was discovered in a third party JSON handling library integrated in Vaadin Framework 7 and used as a transitive dependency in Vaadin Framework 8. By crafting an invalid JSON payload, an attacker could cause the server-side decoding logic to exhaust the entire JVM heap. The vulnerability may impact service availability, but cannot not cause execution of untrusted code or disclosure of sensitive information.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
| Product version | Mitigation |
|---|---|
| Vaadin 7.4.0 - 7.7.8 | Upgrade to 7.7.9 or newer 7 version |
| Vaadin 8.0.0 - 8.0.5 | Upgrade to 8.0.6 or newer 8 version |
Artifacts
| Maven coordinates | Vulnerable version | Fixed version |
|---|---|---|
| com.vaadin:vaadin-shared | 7.4.0 - 7.7.8 | ≥ 7.7.9 |
| com.vaadin:vaadin-shared | 8.0.0 - 8.0.5 | ≥ 8.0.6 |
References
History
- 2017-05-11: Initial vulnerability report published