An unauthenticated Java deserialization vulnerability in the Google Web Toolkit open source application framework remains unpatched more than eight years after it was first disclosed, leaving vulnerable applications vulnerable to This may require fundamental framework modifications.
GWT is an open source set of tools that enables web developers to create and maintain JavaScript front-end applications in Java. According to technology tracking platform Enlyft, that number is around 2,000. Companies using GWTMost are small businesses with 1 to 10 employees and annual revenues between $1 million and $10.
In a new study, Bishop Fox Superintendent Ben Lincoln found that GWT vulnerabilitiesIt added that the vulnerability, which allows remote code execution, has not been fixed in years. Java deserialization bug similar to Spring4Shell vulnerability Discovered in 2022.
“If the patch had not been issued, at least the vulnerable framework feature would have been marked as deprecated, and the framework documentation would have provided suggestions to replace the vulnerable code with an updated alternative.” wrote Mr. Lincoln. “At the very least, the framework developers have definitely updated their ‘getting started’ tutorials and other documentation to show the dangers inherent in using vulnerable features, rather than emphasizing features (possibly there is).”
The administrator of the code is GWT flaws According to Lincoln, the issue was first publicly discussed in 2015, in a post detailing exactly how vulnerable GWT applications could be exploited in the real world. was doing.
Mitigating vulnerable applications
Lincoln warns that mitigating published web applications can be a daunting task.
This vulnerability is at such a fundamental level that “protecting vulnerable web applications created using this framework would require architectural changes to those applications or to the framework itself.” “This is likely,” he explained in the study.
First, Lincoln tells Dark Reading that administrators running vulnerable applications need to plan for the worst-case scenario and work from there.
ā[They should ask] “What would we do if our enterprise had to immediately block access to this application and restore access until remediation could occur?” Lincoln says.
More broadly, observe how well operators of third-party components react to patching to avoid operating with these types of known unpatched defects. is recommended.
“As opposed to a patch, if you get a ‘not a problem for us’ type of result, check whether your organization agrees with that position or a customized version that replaces a component or includes a remediation. Evaluate whether it’s worth creating or not,ā said Lincoln. It is recommended. “If the risk is determined to be low, track it internally as a vulnerability to be reviewed at least once a year to ensure your organization still reaches the same conclusion.”
Additionally, “For applications developed in-house, regularly review the list of third-party components on which they are based and identify any that appear to be waning in popularity or developer activity, even if they are not. Please consider migrating.” Officially abandoned or unsupported. ā