Apache Causeway ViewModel Java Deserialization RCE

Successful exploitation results in authenticated remote code execution. An attacker can run arbitrary code with the privileges of the affected Apache Causeway application, which may enable full compromise of the application instance, access to application data, further post-exploitation activity from the application context, and potential service disruption or lateral movement depending on the application's privileges and environment.

If immediate patching is not possible, reduce exposure of the vulnerable ViewModel functionality and any associated routes that accept user-controllable URL parameters. Restrict access to affected application paths to trusted users and networks, enforce strong authentication and authorization, and minimize the number of users able to reach the vulnerable functionality. Additional compensating controls may include placing the application behind network access controls or reverse proxies that limit access to the affected endpoints until the upgrade can be completed.

Upgrade Apache Causeway to version 3.5.0 or later, which is identified in the provided content as the release that fixes this issue. Because the content states that all current versions are affected, organizations should prioritize upgrading all deployments that use Causeway ViewModel functionality. After upgrading, validate that affected endpoints no longer accept unsafe deserialization input and review application exposure for any residual risk.