Security Vulnerabilities with GWT

972 views
Skip to first unread message

Priya Kolekar

unread,
Jun 29, 2020, 6:57:41 AM6/29/20
to GWT Users

Hi All,

Security Vulnerability have been detected in gwt-dev.jar & gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool.

Below are the details -

Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ )
1.2 Vulnerable version of commons-collections(current version - 3.2.1)
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current version - 4.3.1)
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)
1.5  Vulnerable version of htmlunit ( current version - 2.19 , available version- 2.37)

Gwt-servlet.jar -
        1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)

Given above vulnerabilities -
1. Are those security issues addressed in latest 2.9.0 release?
2. If no, is there a plan to include them in any future release say 3.x?
3. As we know that gwt-dev.jar is used for development purpose & can be flagged as false positive, still are there any attack surfaces exists?

Colin Alworth

unread,
Jun 29, 2020, 9:36:11 AM6/29/20
to GWT Users
1. No, these dependencies were not updated as part of the 2.9.0 release
2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the 3.x release is going to be structured in a different enough of a way that none of these will be present.
3. At a quick glance, it appears to be an oversight that protobuf is included in gwt-servlet and can be entirely removed. I believe this is likely a false positive if it is not used, since it gets a custom package, so will not interfere with other protobuf dependencies.

Can you share the full report you obtained so we can confirm that #3 is true, and file an issue with all the details? I'll start work on confirming we can remove it from gwt-servlet, and after we are certain about these issues we look into making a release.

Thomas Broyer

unread,
Jun 29, 2020, 10:39:29 AM6/29/20
to GWT Users


On Monday, June 29, 2020 at 3:36:11 PM UTC+2, Colin Alworth wrote:
1. No, these dependencies were not updated as part of the 2.9.0 release 
2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the 3.x release is going to be structured in a different enough of a way that none of these will be present.
3. At a quick glance, it appears to be an oversight that protobuf is included in gwt-servlet and can be entirely removed. I believe this is likely a false positive if it is not used, since it gets a custom package, so will not interfere with other protobuf dependencies.

From a quick search in gwtproject/tools, protobuf is a transitive dependency of jscomp-sourcemaps, and it *is* indeed the rebased/repackaged version.

Thomas Broyer

unread,
Jun 29, 2020, 11:10:03 AM6/29/20
to GWT Users


On Monday, June 29, 2020 at 12:57:41 PM UTC+2, Priya Kolekar wrote:

Hi All,

Security Vulnerability have been detected in gwt-dev.jar & gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool.

Below are the details -

Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ )

Dev servers only listen on 127.0.0.1 by default, which already limits the attack surface a lot.
I don't know the details of the vulnerabilities, but I suspect many would be hard to exploit in a dev environment, even if you opened your dev servers to other machines on your network.
 
1.2 Vulnerable version of commons-collections(current version - 3.2.1)

This is all related to Java Object Serialization. GWT does not use serialization across the network AFAICT (some objects are serialized to disk as a persistent cache, but then they're not vulnerable)
 
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current version - 4.3.1)

HttpClient is a dependency of HtmlUnit, it'll only be used during your GWTTestCase tests (if you run them with HtmlUnit)
 
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)

This (https://snyk.io/vuln/maven:com.google.protobuf%3Aprotobuf-java) is a false positive: it's actually in the C++ version.

1.5  Vulnerable version of htmlunit ( current version - 2.19 , available version- 2.37)

You're only vulnerable if you load untrusted third-party scripts within your GWTTestCase tests (and you use HtmlUnit to run them)


Gwt-servlet.jar -
        1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)

As said in my other message, this is an "internal" dependency (and probably never used for serialization/deserialization of protobuf objects), and as seen above, the vulnerability actually is in Protobuf C++, not Protobuf Java.

Given above vulnerabilities -
1. Are those security issues addressed in latest 2.9.0 release?
2. If no, is there a plan to include them in any future release say 3.x?
3. As we know that gwt-dev.jar is used for development purpose & can be flagged as false positive, still are there any attack surfaces exists?

Given the above, I'd say no.

Velusamy Velu

unread,
Jun 29, 2020, 11:38:57 AM6/29/20
to GWT Users
Is there a documented or demonstrated case of break-in using any of the vulnerabilities listed in your post, in an application developed with GWT framework? Do these vulnerabilities matter if a GWT application doesn't use GWT's RPC?

Colin Alworth

unread,
Jun 29, 2020, 11:47:32 AM6/29/20
to google-we...@googlegroups.com
The gwt-servlet issue is only on c++ versions of protobuf, so we believe there is no exploit here at all.

The other issues are all specific to gwt-dev, and neither gwt-dev.jar nor gwt-user.jar should ever be deployed as part of a running server application, so none of those should be exploitable either.

Priya Kolekar

unread,
Jun 30, 2020, 6:16:01 AM6/30/20
to GWT Users
Thank you very much for quick responses.
Here are Vulnerabilities listed -


Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ ) 
[Associated CVEs -  CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536]
1.2 Vulnerable version of commons-collections(current version - 3.2.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current version - 4.3.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0) [CVE-2015-5237]
1.5  Vulnerable version of htmlunit ( current version - 2.19 , available version- 2.37) [CVE-2020-5529]

Gwt-servlet.jar -
        1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0) [CVE-2015-5237]

Ben Shapiro

unread,
Oct 26, 2022, 5:07:48 PM10/26/22
to GWT Users
I know that this conversation is about 2 years old.  We upgraded to GWT 2.10 in hopes that it would resolve the following vulnerabilities with protobuf-java, they are all being reports in the gwt-servlet.jar (version 2.10.0):

These are all being reported in our project by the AWS Enhanced Scanning.  It there any way to upgrade Protobuf from 2.5.0 to the latest version of 3.21.8?

Thanks in advance.
Ben

Colin Alworth

unread,
Oct 28, 2022, 10:53:20 AM10/28/22
to GWT Users
This is discussed at https://github.com/gwtproject/gwt/issues/9778 and https://github.com/gwtproject/gwt/issues/9752: this is a false positive, but still needs to be corrected. The simplest fix is probably to just stop packaging up the "I am running an old version" marker file, since the

Is there a functioning "bug bounty" tool for github? I found a few options that all seem defunct, but this seems like a good candidate for someone to either scratch their own itch and get it fixed, or fund someone else who has the time.

Regardless, as someone not actually affected by this false positive (so I can't justify the time right now to focus on it, run the verification that tools accept the output, etc), I'll put up a bounty of 100USD (via paypal/etc) to see this fixed, with a bonus 100USD for a first-time contributor. If someone has experience with a platform for setting up bounties like this, it might be helpful to formalize future issues.

Rafat J. Al-Barouki

unread,
Nov 11, 2022, 3:14:20 PM11/11/22
to GWT Users
I did make a PR for fixing this issue by removing the pom.xml file from the rebased jar https://github.com/gwtproject/gwt/pull/9785

I did scan a sample project and attached is the report. It would be great if there is anyone can help verify the fix.

dependency-check-report.zip

Colin Alworth

unread,
Nov 16, 2022, 11:43:31 AM11/16/22
to GWT Users
Thanks for working on this, Rafat.

I've deployed a build of this to https://repo.vertispan.com/gwt-snapshot/ with version 2.11.0-fix-9778-SNAPSHOT. This uses the new groupIds, org.gwtproject:gwt-servlet:2.11.0-fix-9778-SNAPSHOT.

For example, see https://repo.vertispan.com/gwt-snapshot/org/gwtproject/gwt-servlet/2.11.0-fix-9778-SNAPSHOT/ to get the gwt-servlet jar.

The patch looks like what I had expected from earlier discussion, thanks for manually confirming it yourself. If someone can confirm the build solves this issue, we can move forward with landing it.
Reply all
Reply to author
Forward
0 new messages