You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by Mike Kienenberger <mk...@gmail.com> on 2016/09/29 15:50:28 UTC
CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability
CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Trinidad from 1.0.0 to 1.0.13
Trinidad from 1.2.1 to 1.2.14
Trinidad from 2.0.0 to 2.0.1
Trinidad from 2.1.0 to 2.1.1
Description:
Trinidad’s CoreResponseStateManager both reads and writes view state
strings using
ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad
bypasses the
view state security features provided by the JSF implementations - ie. the view
state is not encrypted and is not MAC’ed.
Trinidad’s CoreResponseStateManager will blindly deserialize untrusted
view state
strings, which makes Trinidad-based applications vulnerable to deserialization
attacks.
Mitigation:
All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or
1.2.15 and
enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related
web configuration parameters.
See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
Upgrading all Commons Collections jars on the class path to 3.2.2/4.1
will prevent
certain well-known vectors of attack, but will not entirely resolve this issue.
References:
https://issues.apache.org/jira/browse/TRINIDAD-2542
This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz
Re: CVE-2016-5019: MyFaces Trinidad view state deserialization
security vulnerability
Posted by Mike Kienenberger <mk...@apache.org>.
Clarification: The first line in this CVE [1] was a copy&paste error
during message composition and is not part of the CVE. This line can
make it sound as if CVE-2016-5019 is only an information disclosure
vulnerability rather than a deserialization attack vector. I
apologize for the confusion.
On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger <mk...@gmail.com> wrote:
> CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Trinidad from 1.0.0 to 1.0.13
> Trinidad from 1.2.1 to 1.2.14
> Trinidad from 2.0.0 to 2.0.1
> Trinidad from 2.1.0 to 2.1.1
>
> Description:
>
> Trinidad’s CoreResponseStateManager both reads and writes view state
> strings using
> ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad
> bypasses the
> view state security features provided by the JSF implementations - ie. the view
> state is not encrypted and is not MAC’ed.
>
> Trinidad’s CoreResponseStateManager will blindly deserialize untrusted
> view state
> strings, which makes Trinidad-based applications vulnerable to deserialization
> attacks.
>
> Mitigation:
>
> All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or
> 1.2.15 and
> enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related
> web configuration parameters.
> See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
>
> Upgrading all Commons Collections jars on the class path to 3.2.2/4.1
> will prevent
> certain well-known vectors of attack, but will not entirely resolve this issue.
>
> References:
> https://issues.apache.org/jira/browse/TRINIDAD-2542
>
> This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz
Re: CVE-2016-5019: MyFaces Trinidad view state deserialization
security vulnerability
Posted by Mike Kienenberger <mk...@apache.org>.
Clarification: The first line in this CVE [1] was a copy&paste error
during message composition and is not part of the CVE. This line can
make it sound as if CVE-2016-5019 is only an information disclosure
vulnerability rather than a deserialization attack vector. I
apologize for the confusion.
On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger <mk...@gmail.com> wrote:
> CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Trinidad from 1.0.0 to 1.0.13
> Trinidad from 1.2.1 to 1.2.14
> Trinidad from 2.0.0 to 2.0.1
> Trinidad from 2.1.0 to 2.1.1
>
> Description:
>
> Trinidad’s CoreResponseStateManager both reads and writes view state
> strings using
> ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad
> bypasses the
> view state security features provided by the JSF implementations - ie. the view
> state is not encrypted and is not MAC’ed.
>
> Trinidad’s CoreResponseStateManager will blindly deserialize untrusted
> view state
> strings, which makes Trinidad-based applications vulnerable to deserialization
> attacks.
>
> Mitigation:
>
> All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or
> 1.2.15 and
> enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related
> web configuration parameters.
> See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
>
> Upgrading all Commons Collections jars on the class path to 3.2.2/4.1
> will prevent
> certain well-known vectors of attack, but will not entirely resolve this issue.
>
> References:
> https://issues.apache.org/jira/browse/TRINIDAD-2542
>
> This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz