Potential deserialization of untrusted data in Vaadin 7 and 8 when JMX or RMI are enabled
Certain classes in
com.vaadin:vaadin-server version 7 (all versions of Vaadin 7), and
com.vaadin:vaadin-compatibility-server version 8 (all versions of Vaadin 8) allows attacker to perform unsafe deserialization when JMX or RMI are enabled.
When a Vaadin 7 application (or Vaadin 8 application that uses V7 compatibility package) is running in a Servlet container where JMX or RMI is used, and if an unauthenticated user can trigger the deserialization of a payload crafted by them, and
vaadin-server.jar are part of the classpath when the deserialization happens, an attacker can achieve an unauthenticated remote code execution.
In practice, the attack can be executed by injecting a payload that will be deserialized and will be accessed by the
NestedMethodProperty allowing the execution of malicious code.
The functionality used for the identified chain of deserialization events is no longer included in Vaadin 8 (without the Vaadin 7 compatibility packages) or the Vaadin platform. We still advise users of those products to ensure all access to deserialization facilities is restricted, since we cannot rule out the possibility that a similar attack vector is identified in the future.
Affected products and mitigation
|Vaadin 7||If you are using JMX or RMI together with any affected Vaadin version, you should take a look at the references listed below for handling the situation.|
|Vaadin 8 (with V7 compatibility package)|
|Maven coordinates||Affected version|
This issue was discovered and responsibly reported by Kai Ullrich from Code White GmbH, Ulm, Germany.
- 2021-09-03: Clarified affected packages
- 2018-11-13: Initial vulnerability report published