subject:"Re\: Security Vulnerabilities with GWT"

Re: Security Vulnerabilities with GWT

2022-11-16 Thread Colin Alworth

Thanks for working on this, Rafat.

I've deployed a build of this to https://repo.vertispan.com/gwt-snapshot/ 
with version 2.11.0-fix-9778-SNAPSHOT. This uses the new groupIds, 
org.gwtproject:gwt-servlet:2.11.0-fix-9778-SNAPSHOT.

For example, see 
https://repo.vertispan.com/gwt-snapshot/org/gwtproject/gwt-servlet/2.11.0-fix-9778-SNAPSHOT/
 
to get the gwt-servlet jar.

The patch looks like what I had expected from earlier discussion, thanks 
for manually confirming it yourself. If someone can confirm the build 
solves this issue, we can move forward with landing it.
On Friday, November 11, 2022 at 2:14:20 PM UTC-6 rafat.a...@gmail.com wrote:

> I did make a PR for fixing this issue by removing the pom.xml file from 
> the rebased jar https://github.com/gwtproject/gwt/pull/9785
>
> I did scan a sample project and attached is the report. It would be great 
> if there is anyone can help verify the fix.
> 
> On Friday, 28 October 2022 at 16:53:20 UTC+2 nilo...@gmail.com wrote:
>
>> This is discussed at https://github.com/gwtproject/gwt/issues/9778 and 
>> https://github.com/gwtproject/gwt/issues/9752: this is a false positive, 
>> but still needs to be corrected. The simplest fix is probably to just stop 
>> packaging up the "I am running an old version" marker file, since the 
>>
>> Is there a functioning "bug bounty" tool for github? I found a few 
>> options that all seem defunct, but this seems like a good candidate for 
>> someone to either scratch their own itch and get it fixed, or fund someone 
>> else who has the time.
>>
>> Regardless, as someone not actually affected by this false positive (so I 
>> can't justify the time right now to focus on it, run the verification that 
>> tools accept the output, etc), I'll put up a bounty of 100USD (via 
>> paypal/etc) to see this fixed, with a bonus 100USD for a first-time 
>> contributor. If someone has experience with a platform for setting up 
>> bounties like this, it might be helpful to formalize future issues.
>>
>> On Wednesday, October 26, 2022 at 4:07:48 PM UTC-5 bsha...@qvera.com 
>> wrote:
>>
>>> I know that this conversation is about 2 years old.  We upgraded to GWT 
>>> 2.10 in hopes that it would resolve the following vulnerabilities with 
>>> protobuf-java, they are all being reports in the gwt-servlet.jar (version 
>>> 2.10.0):
>>> https://nvd.nist.gov/vuln/detail/CVE-2022-3171
>>> https://www.cve.org/CVERecord?id=CVE-2015-5237
>>> https://github.com/advisories/GHSA-wrvw-hg22-4m67
>>> https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
>>> https://nvd.nist.gov/vuln/detail/CVE-2021-22569
>>>
>>> These are all being reported in our project by the AWS Enhanced 
>>> Scanning.  It there any way to upgrade Protobuf from 2.5.0 to the latest 
>>> version of 3.21.8?
>>>
>>> Thanks in advance.
>>> Ben
>>>
>>> On Tuesday, June 30, 2020 at 4:16:01 AM UTC-6 priyako...@gmail.com 
>>> wrote:
>>>
 Thank you very much for quick responses.
 Here are Vulnerabilities listed -


 Gwt-dev.jar -
 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
 available version -9.2.27+ ) 
 [Associated CVEs -  
 CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536]
 1.2 Vulnerable version of commons-collections(current version - 3.2.1)  
 [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
 version - 4.3.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
 available version - 3.4.0) [CVE-2015-5237]
 1.5  Vulnerable version of htmlunit ( current version - 2.19 , 
 available version- 2.37) [CVE-2020-5529]

 Gwt-servlet.jar -
 1.1 Vulnerable version of Google Protobuf(current version - 
 2.5.0, available version - 3.4.0) [CVE-2015-5237]


 On Monday, 29 June 2020 16:27:41 UTC+5:30, Priya Kolekar wrote:
>
>
> Hi All,
>
> Security Vulnerability have been detected in gwt-dev.jar & 
> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
> tool .
>
> Below are the details -
>
> Gwt-dev.jar -
> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
> available version -9.2.27+ )
> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
> version - 4.3.1)
> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , 
> available version- 2.37)
>
> Gwt-servlet.jar -
> 1.1 Vulnerable version of Google Protobuf(current version - 
> 2.5.0, available version - 3.4.0)
>
> Given above vulnerabilities -
>

Re: Security Vulnerabilities with GWT

2022-11-11 Thread Rafat J. Al-Barouki

I did make a PR for fixing this issue by removing the pom.xml file from the 
rebased jar https://github.com/gwtproject/gwt/pull/9785

I did scan a sample project and attached is the report. It would be great 
if there is anyone can help verify the fix.

On Friday, 28 October 2022 at 16:53:20 UTC+2 nilo...@gmail.com wrote:

> This is discussed at https://github.com/gwtproject/gwt/issues/9778 and 
> https://github.com/gwtproject/gwt/issues/9752: this is a false positive, 
> but still needs to be corrected. The simplest fix is probably to just stop 
> packaging up the "I am running an old version" marker file, since the 
>
> Is there a functioning "bug bounty" tool for github? I found a few options 
> that all seem defunct, but this seems like a good candidate for someone to 
> either scratch their own itch and get it fixed, or fund someone else who 
> has the time.
>
> Regardless, as someone not actually affected by this false positive (so I 
> can't justify the time right now to focus on it, run the verification that 
> tools accept the output, etc), I'll put up a bounty of 100USD (via 
> paypal/etc) to see this fixed, with a bonus 100USD for a first-time 
> contributor. If someone has experience with a platform for setting up 
> bounties like this, it might be helpful to formalize future issues.
>
> On Wednesday, October 26, 2022 at 4:07:48 PM UTC-5 bsha...@qvera.com 
> wrote:
>
>> I know that this conversation is about 2 years old.  We upgraded to GWT 
>> 2.10 in hopes that it would resolve the following vulnerabilities with 
>> protobuf-java, they are all being reports in the gwt-servlet.jar (version 
>> 2.10.0):
>> https://nvd.nist.gov/vuln/detail/CVE-2022-3171
>> https://www.cve.org/CVERecord?id=CVE-2015-5237
>> https://github.com/advisories/GHSA-wrvw-hg22-4m67
>> https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
>> https://nvd.nist.gov/vuln/detail/CVE-2021-22569
>>
>> These are all being reported in our project by the AWS Enhanced 
>> Scanning.  It there any way to upgrade Protobuf from 2.5.0 to the latest 
>> version of 3.21.8?
>>
>> Thanks in advance.
>> Ben
>>
>> On Tuesday, June 30, 2020 at 4:16:01 AM UTC-6 priyako...@gmail.com wrote:
>>
>>> Thank you very much for quick responses.
>>> Here are Vulnerabilities listed -
>>>
>>>
>>> Gwt-dev.jar -
>>> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
>>> available version -9.2.27+ ) 
>>> [Associated CVEs -  
>>> CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536]
>>> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)  
>>> [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
>>> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
>>> version - 4.3.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
>>> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
>>> available version - 3.4.0) [CVE-2015-5237]
>>> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
>>> version- 2.37) [CVE-2020-5529]
>>>
>>> Gwt-servlet.jar -
>>> 1.1 Vulnerable version of Google Protobuf(current version - 
>>> 2.5.0, available version - 3.4.0) [CVE-2015-5237]
>>>
>>>
>>> On Monday, 29 June 2020 16:27:41 UTC+5:30, Priya Kolekar wrote:


 Hi All,

 Security Vulnerability have been detected in gwt-dev.jar & 
 gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
 tool .

 Below are the details -

 Gwt-dev.jar -
 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
 available version -9.2.27+ )
 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
 version - 4.3.1)
 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
 available version - 3.4.0)
 1.5  Vulnerable version of htmlunit ( current version - 2.19 , 
 available version- 2.37)

 Gwt-servlet.jar -
 1.1 Vulnerable version of Google Protobuf(current version - 
 2.5.0, available version - 3.4.0)

 Given above vulnerabilities -
 1. Are those security issues addressed in latest 2.9.0 release?
 2. If no, is there a plan to include them in any future release say 3.x?
 3. As we know that gwt-dev.jar is used for development purpose & can be 
 flagged as false positive, still are there any attack surfaces exists?

>>>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/802ff23c-f281-4f18-8c7e-947b18d60fb2n%40googlegroups.com.
<>

Re: Security Vulnerabilities with GWT

2022-10-28 Thread Colin Alworth

This is discussed at https://github.com/gwtproject/gwt/issues/9778 and 
https://github.com/gwtproject/gwt/issues/9752: this is a false positive, 
but still needs to be corrected. The simplest fix is probably to just stop 
packaging up the "I am running an old version" marker file, since the 

Is there a functioning "bug bounty" tool for github? I found a few options 
that all seem defunct, but this seems like a good candidate for someone to 
either scratch their own itch and get it fixed, or fund someone else who 
has the time.

Regardless, as someone not actually affected by this false positive (so I 
can't justify the time right now to focus on it, run the verification that 
tools accept the output, etc), I'll put up a bounty of 100USD (via 
paypal/etc) to see this fixed, with a bonus 100USD for a first-time 
contributor. If someone has experience with a platform for setting up 
bounties like this, it might be helpful to formalize future issues.

On Wednesday, October 26, 2022 at 4:07:48 PM UTC-5 bsha...@qvera.com wrote:

> I know that this conversation is about 2 years old.  We upgraded to GWT 
> 2.10 in hopes that it would resolve the following vulnerabilities with 
> protobuf-java, they are all being reports in the gwt-servlet.jar (version 
> 2.10.0):
> https://nvd.nist.gov/vuln/detail/CVE-2022-3171
> https://www.cve.org/CVERecord?id=CVE-2015-5237
> https://github.com/advisories/GHSA-wrvw-hg22-4m67
> https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
> https://nvd.nist.gov/vuln/detail/CVE-2021-22569
>
> These are all being reported in our project by the AWS Enhanced Scanning.  
> It there any way to upgrade Protobuf from 2.5.0 to the latest version of 
> 3.21.8?
>
> Thanks in advance.
> Ben
>
> On Tuesday, June 30, 2020 at 4:16:01 AM UTC-6 priyako...@gmail.com wrote:
>
>> Thank you very much for quick responses.
>> Here are Vulnerabilities listed -
>>
>>
>> Gwt-dev.jar -
>> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
>> available version -9.2.27+ ) 
>> [Associated CVEs -  
>> CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536]
>> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)  [ 
>> CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
>> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
>> version - 4.3.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
>> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
>> available version - 3.4.0) [CVE-2015-5237]
>> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
>> version- 2.37) [CVE-2020-5529]
>>
>> Gwt-servlet.jar -
>> 1.1 Vulnerable version of Google Protobuf(current version - 
>> 2.5.0, available version - 3.4.0) [CVE-2015-5237]
>>
>>
>> On Monday, 29 June 2020 16:27:41 UTC+5:30, Priya Kolekar wrote:
>>>
>>>
>>> Hi All,
>>>
>>> Security Vulnerability have been detected in gwt-dev.jar & 
>>> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
>>> tool .
>>>
>>> Below are the details -
>>>
>>> Gwt-dev.jar -
>>> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
>>> available version -9.2.27+ )
>>> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
>>> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
>>> version - 4.3.1)
>>> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
>>> available version - 3.4.0)
>>> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
>>> version- 2.37)
>>>
>>> Gwt-servlet.jar -
>>> 1.1 Vulnerable version of Google Protobuf(current version - 
>>> 2.5.0, available version - 3.4.0)
>>>
>>> Given above vulnerabilities -
>>> 1. Are those security issues addressed in latest 2.9.0 release?
>>> 2. If no, is there a plan to include them in any future release say 3.x?
>>> 3. As we know that gwt-dev.jar is used for development purpose & can be 
>>> flagged as false positive, still are there any attack surfaces exists?
>>>
>>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/1bdbe148-b8c7-41a8-bbdc-90d0dfb0ffedn%40googlegroups.com.

Re: Security Vulnerabilities with GWT

2022-10-26 Thread 'Ben Shapiro' via GWT Users

I know that this conversation is about 2 years old.  We upgraded to GWT 
2.10 in hopes that it would resolve the following vulnerabilities with 
protobuf-java, they are all being reports in the gwt-servlet.jar (version 
2.10.0):
https://nvd.nist.gov/vuln/detail/CVE-2022-3171
https://www.cve.org/CVERecord?id=CVE-2015-5237
https://github.com/advisories/GHSA-wrvw-hg22-4m67
https://github.com/advisories/GHSA-h4h5-3hr4-j3g2
https://nvd.nist.gov/vuln/detail/CVE-2021-22569

These are all being reported in our project by the AWS Enhanced Scanning.  
It there any way to upgrade Protobuf from 2.5.0 to the latest version of 
3.21.8?

Thanks in advance.
Ben

On Tuesday, June 30, 2020 at 4:16:01 AM UTC-6 priyako...@gmail.com wrote:

> Thank you very much for quick responses.
> Here are Vulnerabilities listed -
>
>
> Gwt-dev.jar -
> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
> available version -9.2.27+ ) 
> [Associated CVEs -  
> CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536]
> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)  [ 
> CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
> version - 4.3.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0) [CVE-2015-5237]
> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
> version- 2.37) [CVE-2020-5529]
>
> Gwt-servlet.jar -
> 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0) [CVE-2015-5237]
>
>
> On Monday, 29 June 2020 16:27:41 UTC+5:30, Priya Kolekar wrote:
>>
>>
>> Hi All,
>>
>> Security Vulnerability have been detected in gwt-dev.jar & 
>> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
>> tool .
>>
>> Below are the details -
>>
>> Gwt-dev.jar -
>> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
>> available version -9.2.27+ )
>> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
>> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
>> version - 4.3.1)
>> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
>> available version - 3.4.0)
>> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
>> version- 2.37)
>>
>> Gwt-servlet.jar -
>> 1.1 Vulnerable version of Google Protobuf(current version - 
>> 2.5.0, available version - 3.4.0)
>>
>> Given above vulnerabilities -
>> 1. Are those security issues addressed in latest 2.9.0 release?
>> 2. If no, is there a plan to include them in any future release say 3.x?
>> 3. As we know that gwt-dev.jar is used for development purpose & can be 
>> flagged as false positive, still are there any attack surfaces exists?
>>
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/5ee8893c-b867-4457-87f9-0e68f1fcc26dn%40googlegroups.com.

Re: Security Vulnerabilities with GWT 2.10

2022-09-01 Thread Thomas Broyer



On Thursday, September 1, 2022 at 11:57:07 AM UTC+2 priyako...@gmail.com 
wrote:

> Thanks for response.
>
> There is one more CVE has been reported for gwt-dev jar for htmlUnit 
> component. Details of CVE are as below -
> CVE - CVE-2022-29546
> severity  - 7.5 
> Description - HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial 
> of service vulnerability. Crafted input associated with the parsing of 
> Processing Instruction (PI) data leads to heap memory consumption.
>
> Are there any plans to mitigate above vulnerablity?
> As we know that gwt-dev.jar is used for development purpose( in our 
> application, we remove gwt-dev.jar post compilation) , still are there any 
> attack surfaces exists?
>

It depends whether you a) use GWTTestCase b) run them with the HtmlUnit 
runner c) those tests load external resources not under your control (that 
could contain the processing instruction triggering the OOME)

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/fac4e58a-26cb-49df-a2a0-2f0ec8d87d6dn%40googlegroups.com.

Re: Security Vulnerabilities with GWT 2.10

2022-09-01 Thread priyako...@gmail.com

Thanks for response.

There is one more CVE has been reported for gwt-dev jar for htmlUnit 
component. Details of CVE are as below -
CVE - CVE-2022-29546
severity  - 7.5 
Description - HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial 
of service vulnerability. Crafted input associated with the parsing of 
Processing Instruction (PI) data leads to heap memory consumption.

Are there any plans to mitigate above vulnerablity?
As we know that gwt-dev.jar is used for development purpose( in our 
application, we remove gwt-dev.jar post compilation) , still are there any 
attack surfaces exists?

On Saturday, 30 July 2022 at 03:15:45 UTC+5:30 t.br...@gmail.com wrote:

> On Friday, July 29, 2022 at 1:27:36 PM UTC+2 priyako...@gmail.com wrote:
>
>> Hi All,
>>
>> Below Security Vulnerabilities in gwt-dev.jar in latest GWT 2.10 release 
>> have been reported by Dependency checker tool - 
>>
>> [image: gwt-dev_vulnerablities.PNG]
>> Given above vulnerabilities -
>> 1. Are those security issues addressed in latest 2.10.0 release?
>> 2. If no, is there a plan to include them in any future release say 3.x?
>> 3. As we know that gwt-dev.jar is used for development purpose( in our 
>> application, we remove gwt-dev.jar post compilation) , still are there any 
>> attack surfaces exists?
>>
>
> IIRC, GSON is used to load sourcemaps when deobfuscating stacktraces (it 
> might also be used for generating source maps at build time, I don't 
> remember) ; sourcemaps are bundled with your application so they can hardly 
> be considered "untrusted data".
> James (mime4j) is a transitive dependency of HTMLUnit, used for testing. 
> It's not clear whether the mime4j component of James is vulnerable (I'd say 
> no), but it's only used for unit tests where I'd say you shouldn't load any 
> untrusted data.
> Jetty as used in GWT won't do HTTP/2.
>
> So, the only possible attack surface would be untrusted URLs loaded during 
> tests.
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/846a98bc-8022-42bc-a5ab-fac3de4ed377n%40googlegroups.com.

Re: Security Vulnerabilities with GWT 2.10

2022-07-29 Thread Thomas Broyer

On Friday, July 29, 2022 at 1:27:36 PM UTC+2 priyako...@gmail.com wrote:

> Hi All,
>
> Below Security Vulnerabilities in gwt-dev.jar in latest GWT 2.10 release 
> have been reported by Dependency checker tool - 
>
> [image: gwt-dev_vulnerablities.PNG]
> Given above vulnerabilities -
> 1. Are those security issues addressed in latest 2.10.0 release?
> 2. If no, is there a plan to include them in any future release say 3.x?
> 3. As we know that gwt-dev.jar is used for development purpose( in our 
> application, we remove gwt-dev.jar post compilation) , still are there any 
> attack surfaces exists?
>

IIRC, GSON is used to load sourcemaps when deobfuscating stacktraces (it 
might also be used for generating source maps at build time, I don't 
remember) ; sourcemaps are bundled with your application so they can hardly 
be considered "untrusted data".
James (mime4j) is a transitive dependency of HTMLUnit, used for testing. 
It's not clear whether the mime4j component of James is vulnerable (I'd say 
no), but it's only used for unit tests where I'd say you shouldn't load any 
untrusted data.
Jetty as used in GWT won't do HTTP/2.

So, the only possible attack surface would be untrusted URLs loaded during 
tests.

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/2f4d0816-5027-449e-b61e-5d6c55785e55n%40googlegroups.com.

Re: Security Vulnerabilities with GWT

2020-06-30 Thread Priya Kolekar

Thank you very much for quick responses.
Here are Vulnerabilities listed -


Gwt-dev.jar -
1.1 Vulnerable version of jetty library(current version-- 9.2.14, available 
version -9.2.27+ ) 
[Associated CVEs -  
CVE-2017-7656,CVE-2017-7657,CVE-2017-7658,CVE-2017-9735,CVE-2018-12536]
1.2 Vulnerable version of commons-collections(current version - 3.2.1)  [ 
CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
version - 4.3.1)  [ CVE-2015-6420,CVE-2017-15708,CVE-2014-3577]
1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
available version - 3.4.0) [CVE-2015-5237]
1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
version- 2.37) [CVE-2020-5529]

Gwt-servlet.jar -
1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
available version - 3.4.0) [CVE-2015-5237]


On Monday, 29 June 2020 16:27:41 UTC+5:30, Priya Kolekar wrote:
>
>
> Hi All,
>
> Security Vulnerability have been detected in gwt-dev.jar & 
> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
> tool .
>
> Below are the details -
>
> Gwt-dev.jar -
> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
> available version -9.2.27+ )
> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
> version - 4.3.1)
> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
> version- 2.37)
>
> Gwt-servlet.jar -
> 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
>
> Given above vulnerabilities -
> 1. Are those security issues addressed in latest 2.9.0 release?
> 2. If no, is there a plan to include them in any future release say 3.x?
> 3. As we know that gwt-dev.jar is used for development purpose & can be 
> flagged as false positive, still are there any attack surfaces exists?
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/53fc57d4-6d37-44b5-b267-044aa30e878co%40googlegroups.com.

Re: Security Vulnerabilities with GWT

2020-06-29 Thread Colin Alworth

The gwt-servlet issue is only on c++ versions of protobuf, so we believe there 
is no exploit here at all.

The other issues are all specific to gwt-dev, and neither gwt-dev.jar nor 
gwt-user.jar should ever be deployed as part of a running server application, 
so none of those should be exploitable either. 


On Mon, Jun 29, 2020, at 10:38 AM, Velusamy Velu wrote:
> Is there a documented or demonstrated case of break-in using any of the 
> vulnerabilities listed in your post, in an application developed with GWT 
> framework? Do these vulnerabilities matter if a GWT application doesn't use 
> GWT's RPC?
> 
> On Monday, June 29, 2020 at 6:57:41 AM UTC-4, Priya Kolekar wrote:
>> 
>> Hi All,
>> 
>> Security Vulnerability have been detected in gwt-dev.jar & 
>> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker tool 
>> .
>> 
>> Below are the details -
>> 
>> Gwt-dev.jar -
>> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, available 
>> version -9.2.27+ )
>> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
>> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
>> version - 4.3.1)
>> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, available 
>> version - 3.4.0)
>> 1.5 Vulnerable version of htmlunit ( current version - 2.19 , available 
>> version- 2.37)
>> 
>> Gwt-servlet.jar -
>>  1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
>> available version - 3.4.0)
>> 
>> Given above vulnerabilities -
>> 1. Are those security issues addressed in latest 2.9.0 release?
>> 2. If no, is there a plan to include them in any future release say 3.x?
>> 3. As we know that gwt-dev.jar is used for development purpose & can be 
>> flagged as false positive, still are there any attack surfaces exists?

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/8226e012-160a-49b2-91a6-b41a958da81a%40www.fastmail.com.

Re: Security Vulnerabilities with GWT

2020-06-29 Thread Velusamy Velu

Is there a documented or demonstrated case of break-in using any of the 
vulnerabilities listed in your post, in an application developed with GWT 
framework? Do these vulnerabilities matter if a GWT application doesn't use 
GWT's RPC?

On Monday, June 29, 2020 at 6:57:41 AM UTC-4, Priya Kolekar wrote:
>
>
> Hi All,
>
> Security Vulnerability have been detected in gwt-dev.jar & 
> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
> tool .
>
> Below are the details -
>
> Gwt-dev.jar -
> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
> available version -9.2.27+ )
> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
> version - 4.3.1)
> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
> version- 2.37)
>
> Gwt-servlet.jar -
> 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
>
> Given above vulnerabilities -
> 1. Are those security issues addressed in latest 2.9.0 release?
> 2. If no, is there a plan to include them in any future release say 3.x?
> 3. As we know that gwt-dev.jar is used for development purpose & can be 
> flagged as false positive, still are there any attack surfaces exists?
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/ffaffa6f-6753-4546-ba7b-db2cb85e9a6eo%40googlegroups.com.

Re: Security Vulnerabilities with GWT

2020-06-29 Thread Thomas Broyer

On Monday, June 29, 2020 at 12:57:41 PM UTC+2, Priya Kolekar wrote:
>
>
> Hi All,
>
> Security Vulnerability have been detected in gwt-dev.jar & 
> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
> tool .
>
> Below are the details -
>
> Gwt-dev.jar -
> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
> available version -9.2.27+ )
>

Dev servers only listen on 127.0.0.1 by default, which already limits the 
attack surface a lot.
I don't know the details of the vulnerabilities, but I suspect many would 
be hard to exploit in a dev environment, even if you opened your dev 
servers to other machines on your network.

> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
>

https://snyk.io/vuln/search?q=commons-collections=maven
This is all related to Java Object Serialization. GWT does not use 
serialization across the network AFAICT (some objects are serialized to 
disk as a persistent cache, but then they're not vulnerable)

> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
> version - 4.3.1)
>

https://snyk.io/vuln/maven:org.apache.httpcomponents%3Ahttpclient
HttpClient is a dependency of HtmlUnit, it'll only be used during your 
GWTTestCase tests (if you run them with HtmlUnit)

> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
>

This (https://snyk.io/vuln/maven:com.google.protobuf%3Aprotobuf-java) is a 
false positive: it's actually in the C++ version.

1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
> version- 2.37)
>

https://snyk.io/vuln/SNYK-LINUX-HTMLUNIT-548874
You're only vulnerable if you load untrusted third-party scripts within 
your GWTTestCase tests (and you use HtmlUnit to run them)

> Gwt-servlet.jar -
> 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
>

As said in my other message, this is an "internal" dependency (and probably 
never used for serialization/deserialization of protobuf objects), and as 
seen above, the vulnerability actually is in Protobuf C++, not Protobuf 
Java.

Given above vulnerabilities -
> 1. Are those security issues addressed in latest 2.9.0 release?
> 2. If no, is there a plan to include them in any future release say 3.x?
> 3. As we know that gwt-dev.jar is used for development purpose & can be 
> flagged as false positive, still are there any attack surfaces exists?
>

Given the above, I'd say no.

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/8dd17a2b-d9e8-411f-ac35-426dbfec5b6fo%40googlegroups.com.

Re: Security Vulnerabilities with GWT

2020-06-29 Thread Thomas Broyer



On Monday, June 29, 2020 at 3:36:11 PM UTC+2, Colin Alworth wrote:
>
> 1. No, these dependencies were not updated as part of the 2.9.0 release 
>
2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the 
> 3.x release is going to be structured in a different enough of a way that 
> none of these will be present.
>
3. At a quick glance, it appears to be an oversight that protobuf is 
> included in gwt-servlet and can be entirely removed. I believe this is 
> likely a false positive if it is not used, since it gets a custom package, 
> so will not interfere with other protobuf dependencies.
>

>From a quick search in gwtproject/tools, protobuf is a transitive 
dependency of jscomp-sourcemaps, and it *is* indeed the rebased/repackaged 
version.

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/674eca0f-36d2-48fa-88f1-2a5ccdb2c494o%40googlegroups.com.

Re: Security Vulnerabilities with GWT

2020-06-29 Thread Colin Alworth

1. No, these dependencies were not updated as part of the 2.9.0 release
2. An update would come either in a 2.9.x bugfix release, or in 2.10 - the 
3.x release is going to be structured in a different enough of a way that 
none of these will be present.
3. At a quick glance, it appears to be an oversight that protobuf is 
included in gwt-servlet and can be entirely removed. I believe this is 
likely a false positive if it is not used, since it gets a custom package, 
so will not interfere with other protobuf dependencies.

Can you share the full report you obtained so we can confirm that #3 is 
true, and file an issue with all the details? I'll start work on confirming 
we can remove it from gwt-servlet, and after we are certain about these 
issues we look into making a release.
On Monday, June 29, 2020 at 5:57:41 AM UTC-5 priyako...@gmail.com wrote:

>
> Hi All,
>
> Security Vulnerability have been detected in gwt-dev.jar & 
> gwt-servlet.jar(in release 2.8.2) & are reported by Dependency checker 
> tool .
>
> Below are the details -
>
> Gwt-dev.jar -
> 1.1 Vulnerable version of jetty library(current version-- 9.2.14, 
> available version -9.2.27+ )
> 1.2 Vulnerable version of commons-collections(current version - 3.2.1)
> 1.3 Vulnerable version of org.apache.httpcomponents:httpclient(current 
> version - 4.3.1)
> 1.4 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
> 1.5  Vulnerable version of htmlunit ( current version - 2.19 , available 
> version- 2.37)
>
> Gwt-servlet.jar -
> 1.1 Vulnerable version of Google Protobuf(current version - 2.5.0, 
> available version - 3.4.0)
>
> Given above vulnerabilities -
> 1. Are those security issues addressed in latest 2.9.0 release?
> 2. If no, is there a plan to include them in any future release say 3.x?
> 3. As we know that gwt-dev.jar is used for development purpose & can be 
> flagged as false positive, still are there any attack surfaces exists?
>

-- 
You received this message because you are subscribed to the Google Groups "GWT 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-web-toolkit+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-web-toolkit/3c7a79d4-7ce4-4000-bb50-e040f2110bden%40googlegroups.com.

Re: Security Vulnerabilities with GWT

Re: Security Vulnerabilities with GWT

Re: Security Vulnerabilities with GWT

Re: Security Vulnerabilities with GWT

Re: Security Vulnerabilities with GWT 2.10

Re: Security Vulnerabilities with GWT 2.10

Re: Security Vulnerabilities with GWT 2.10

Re: Security Vulnerabilities with GWT

Re: Security Vulnerabilities with GWT

Re: Security Vulnerabilities with GWT

Re: Security Vulnerabilities with GWT

Re: Security Vulnerabilities with GWT

Re: Security Vulnerabilities with GWT

13 matches

Site Navigation

Mail list logo

Footer information