CVE-2021-31407 – This vulnerability in Vaadin's OSGi integration... (How to Fix)

Q: What is the severity of CVE-2021-31407?

CVE-2021-31407 has a CVSS score of 8.6 (HIGH). This vulnerability in Vaadin's OSGi integration allows attackers to access server-side application classes and resources via crafted HTTP requests. It affects Vaadin Flow versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9) and 6.0.0 through 6.0.1 (Vaadin 19.0.0). Attackers can potentially read sensitive configuration files, source code, or other resources that should be protected.

📋 TL;DR

This vulnerability in Vaadin's OSGi integration allows attackers to access server-side application classes and resources via crafted HTTP requests. It affects Vaadin Flow versions 1.2.0 through 2.4.7 (Vaadin 12.0.0 through 14.4.9) and 6.0.0 through 6.0.1 (Vaadin 19.0.0). Attackers can potentially read sensitive configuration files, source code, or other resources that should be protected.

💻 Affected Systems

Products:

Vaadin Flow
Vaadin Framework

Versions: Flow 1.2.0-2.4.7 (Vaadin 12.0.0-14.4.9) and Flow 6.0.0-6.0.1 (Vaadin 19.0.0)

Operating Systems: All operating systems running affected Vaadin versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using OSGi integration. Non-OSGi deployments are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through information disclosure leading to credential theft, source code exposure, and potential privilege escalation.

🟠

Likely Case

Unauthorized access to sensitive application resources, configuration files, or source code leading to information disclosure.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, but still exposes internal application structure.

🌐 Internet-Facing: HIGH - Exploitable via HTTP requests without authentication, making internet-facing applications particularly vulnerable.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Requires only crafted HTTP requests, no authentication needed.

The vulnerability is in the OSGi integration layer, allowing HTTP requests to bypass normal resource access controls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Flow 2.4.8 or later, Flow 6.0.2 or later

Vendor Advisory: https://vaadin.com/security/cve-2021-31407

Restart Required: Yes

Instructions:

1. Update Vaadin Flow dependency to version 2.4.8+ (for Vaadin 14) or 6.0.2+ (for Vaadin 19). 2. Update pom.xml or build.gradle with new version. 3. Rebuild and redeploy application. 4. Restart application server.

🔧 Temporary Workarounds

Disable OSGi Integration

all

If OSGi is not required, disable OSGi integration to remove the vulnerable component.

Configure application to run without OSGi container

Network Access Controls

linux

Restrict access to vulnerable applications using firewall rules or network segmentation.

iptables -A INPUT -p tcp --dport [app_port] -s [trusted_ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [app_port] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the vulnerable application
Deploy web application firewall (WAF) with rules to block crafted HTTP requests targeting OSGi endpoints

🔍 How to Verify

Check if Vulnerable:

Check pom.xml or build.gradle for com.vaadin:flow-server version. If version is between 1.2.0-2.4.7 or 6.0.0-6.0.1 and OSGi is used, the application is vulnerable.

Check Version:

grep -i 'com.vaadin:flow-server' pom.xml || grep -i 'com.vaadin:flow-server' build.gradle

Verify Fix Applied:

Verify com.vaadin:flow-server version is 2.4.8+ or 6.0.2+ in dependency files and test that OSGi resources are no longer accessible via HTTP.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to OSGi-related endpoints
Access attempts to /OSGI-INF/, /OSGI-OPT/, or similar paths
403 or 404 errors for OSGi resource requests after patch

Network Indicators:

HTTP requests with crafted paths targeting OSGi directories
Unusual traffic patterns to application endpoints

SIEM Query:

source="web_server_logs" AND (uri_path="/OSGI-*" OR uri_path="*osgi*" OR user_agent="*crafted*" OR status_code=200 AND uri_path CONTAINS ".jar" OR ".class")

📊 Metadata

CVE ID: CVE-2021-31407

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-402

Published: April 23, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/vaadin/flow/pull/10229 Patch,Third Party Advisory
https://github.com/vaadin/flow/pull/10269 Patch,Third Party Advisory
https://github.com/vaadin/osgi/issues/50 Patch,Third Party Advisory
https://vaadin.com/security/cve-2021-31407 Vendor Advisory
https://github.com/vaadin/flow/pull/10229 Patch,Third Party Advisory
https://github.com/vaadin/flow/pull/10269 Patch,Third Party Advisory
https://github.com/vaadin/osgi/issues/50 Patch,Third Party Advisory
https://vaadin.com/security/cve-2021-31407 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31407, you might also want to check these: