Monday, June 29, 2020

Re: Security Vulnerabilities with GWT

On Monday, June 29, 2020 at 12:57:41 PM UTC+2, Priya Kolekar wrote:

Hi All,

Security Vulnerability have been detected in gwt-dev.jar & gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool.

Below are the details -

Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available version -9.2.27+ )

Dev servers only listen on by default, which already limits the attack surface a lot.
I don't know the details of the vulnerabilities, but I suspect many would be hard to exploit in a dev environment, even if you opened your dev servers to other machines on your network.
1.2 Vulnerable version of commons-collections(current version - 3.2.1)

This is all related to Java Object Serialization. GWT does not use serialization across the network AFAICT (some objects are serialized to disk as a persistent cache, but then they're not vulnerable)
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current version - 4.3.1)

HttpClient is a dependency of HtmlUnit, it'll only be used during your GWTTestCase tests (if you run them with HtmlUnit)
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)

This ( is a false positive: it's actually in the C++ version.

1.5  Vulnerable version of htmlunit ( current version - 2.19 , available version- 2.37)

You're only vulnerable if you load untrusted third-party scripts within your GWTTestCase tests (and you use HtmlUnit to run them)

Gwt-servlet.jar -
        1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, available version - 3.4.0)

As said in my other message, this is an "internal" dependency (and probably never used for serialization/deserialization of protobuf objects), and as seen above, the vulnerability actually is in Protobuf C++, not Protobuf Java.

Given above vulnerabilities -
1. Are those security issues addressed in latest 2.9.0 release?
2. If no, is there a plan to include them in any future release say 3.x?
3. As we know that gwt-dev.jar is used for development purpose & can be flagged as false positive, still are there any attack surfaces exists?

Given the above, I'd say no.

You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To view this discussion on the web visit

No comments:

Post a Comment