You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Thomas Andraschko (JIRA)" <de...@myfaces.apache.org> on 2018/01/29 20:05:00 UTC

[jira] [Comment Edited] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

    [ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16343942#comment-16343942 ] 

Thomas Andraschko edited comment on MYFACES-4133 at 1/29/18 8:04 PM:
---------------------------------------------------------------------

[~stockli] Seems like HMAC is already used. If not, please create a new issue.


was (Author: tandraschko):
[~stockli] Seems like HMAC is already used. If not, please create a new issue.
 * Visual

> Don't deserialize the ViewState-ID if the state saving method is server
> -----------------------------------------------------------------------
>
>                 Key: MYFACES-4133
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4133
>             Project: MyFaces Core
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 2.2.12
>            Reporter: Peter Stöckli
>            Assignee: Thomas Andraschko
>            Priority: Major
>             Fix For: 2.3.0
>
>         Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch, trunk-r1817658-r1817806.patch
>
>
> Currently the ViewState-ID provided by the user is deserialized via Java deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he might have unintentionally introduced a dangerous remote code execution (RCE) vulnerability as described [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)