Server classes and resources exposure in OSGi applications using Vaadin 12-14 and 19
Overview
Vulnerability in OSGi integration in com.vaadin:flow-server
versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9), and 6.0.0 through 6.0.1 (Vaadin 19.0.0) allows attacker to access application classes and resources on the server via crafted HTTP request.
See CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')
Description
This vulnerability only applies to Vaadin OSGi applications in the aforementioned versions. The vulnerability is the outcome of the combination of the default behavior of the Http Whiteboard specification in OSGi and the static resources handling of VaadinServlet
:
- The HTTP Whiteboard specification in OSGi works in a way that all resources inside a bundle/jar are available via the
ServletContext
class for any Servlet that is registered inside that bundle/jar. This is expected behavior of the Http Whiteboard specification in OSGi. - The
VaadinServlet
class exposes all resources available in theServletContext
to be accessed via HTTP (by actions of classStaticFileServer
).
When a VaadinServlet
is registered using the Http Whiteboard, it by default exposes all resources available in the ServletContext
of the bundle/jar to be accessible via the browser, as long as the request directly comes for the exact URL of the resource. This only applies to the resources within the same bundle as the servlet - resources from other bundles are not accessible as those are not exposed via ServletContext
by Http Whiteboard. In non-OSGi Vaadin applications, the ServletContext
does not provide access to resources similarly as is done with Vaadin OSGi applications.
In practice this means that any Java class or a static resource that is part of the same bundle as the registered servlet can be requested from the browser by using the correct request URL corresponding to that resource. To exploit the vulnerability, one has to, by minimum, know an entry point to the system that might provide further information on the resources that are accessible.
To address the issue, it is recommended to update the Vaadin version to the aforementioned maintenance versions where the issue is fixed.
One can test if their Vaadin OSGi application is affected by trying to access class files or static resources via the browser.
Affected products and mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
Product version | Mitigation |
---|---|
Vaadin 12 - 13 | No longer supported. Upgrade to 14.4.10 or newer 14 version |
Vaadin 14.0.0 - 14.4.9 | Upgrade to 14.4.10 or newer 14 version |
Vaadin 19.0.0 | Upgrade to 19.0.1 or newer 19 version |
Please note that Vaadin versions 12-13 are no longer supported and you should update to the latest 14 version.
Artifacts
Maven coordinates | Vulnerable version | Fixed version |
---|---|---|
com.vaadin:flow-server | 1.2.0 - 2.4.7 | ≥ 2.4.8 |
com.vaadin:flow-server | 6.0.0 - 6.0.1 | ≥ 6.0.2 |
References
History
- 2021-03-29: Initial vulnerability report published