Saturday, November 21, 2015

Re: Java Deserialization Vulnerability

On Saturday, November 21, 2015 at 5:33:00 AM UTC+1, gerry wrote:
Is GWT RPC affected by the Java deserialization vulnerability?

Hmm, apparently, and to my surprise, under certain circumstances: yes.
If so is there a way to mitigate it?

First, to know whether you're impacted, grep for '@ClientFields' in your serialization policies (*.gwt.rpc files).

This will be the case (IIUC) for any class annotated with JPA's @Entity or JDO's @PersistenceCapable (IIUC only the @PersistenceCapable(detachable="true") annotated classes), or listed in the gwt.enhancedClasses configuration property (from the *.gwt.xml files)
So, the way to mitigate it is to make sure you don't run into such cases. You can possibly use the rpc.blacklist configuration property to blacklist offending classes for cases where they're unexpectedly picked up.

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
Visit this group at
For more options, visit

No comments:

Post a Comment