More than eight years after it first came to light, an unauthenticated Java deserialization vulnerability lurking in the Google Web Toolkit open source application framework remains unpatched, and could require fundamental framework fixes to vulnerable applications.
GWT is an open source set of tools that allows Web developers to create and maintain JavaScript front-end applications in Java.
According to technology tracking platform Enlyft, there are around 2,000 companies using GWT, the majority of which are small with one to 10 employees and between $1 million and $10 in annual revenue.
In new research, Bishop Fox managing principal Ben Lincoln expressed disbelief that the GWT vulnerability, which allows remote code execution, hasn't been fixed in all these years, adding that the Java deserialization bug is similar to the Spring4Shell vulnerability discovered in 2022.
The code's maintainers have taken none of those steps since the GWT flaw was first openly discussed in 2015, Lincoln said, who in his posting detailed exactly how a vulnerable GWT application could be exploited in the real world.
Mitigation for exposed Web applications is going to be a heavy lift, Lincoln warns.
To start, Lincoln tells Dark Reading that administrators running vulnerable applications need to plan for the worst-case scenario and work from there.
More broadly, to avoid operating with these types of known, unpatched flaws, he recommends watching how responsive third-party component operators are to patching.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 18 Dec 2023 22:45:16 +0000