You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@wicket.apache.org by Pedro Santos <pe...@apache.org> on 2016/12/31 07:21:20 UTC

[ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability

CVE-2016-6793: Apache Wicket deserialization vulnerability

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 6.x and 1.5.x

Description: Depending on the ISerializer set in the Wicket application,
it's possible that a Wicket's object deserialized from an untrusted source
and utilized by the application to causes the code to enter in an
infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
Kryo, allows an attacker to hack its serialized form to put a client on an
infinite loop if the client attempts to write on the
DeferredFileOutputStream attribute.

Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17

Credit: This issue was discovered by Jacob Baines, Tenable Network Security and
Pedro Santos

References: https://wicket.apache.org/news

Re: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability

Posted by Martin Grigorov <mg...@apache.org>.

The site has been updated to use 1.5.17.
Thanks for letting us know!

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Tue, Jan 3, 2017 at 10:24 PM, durairaj t <du...@gmail.com> wrote:

> Thank you!
>
> On Tue, Jan 3, 2017 at 4:11 PM, Tobias Soloschenko <
> tobiassoloschenko@googlemail.com> wrote:
>
> > Hi,
> >
> > but it is released. See here: https://mvnrepository.com/arti
> > fact/org.apache.wicket/wicket-core/1.5.17
> >
> > kind regards
> >
> > Tobias
> >
> > Am 03.01.17 um 21:25 schrieb durairaj t:
> >
> >> I can see the Wicket 1.5.16 but not 1.5.17 in "
> >> https://wicket.apache.org/start/wicket-1.5.x.html#download".
> >>
> >>
> >>
> >> On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:
> >>
> >> CVE-2016-6793: Apache Wicket deserialization vulnerability
> >>>
> >>> Severity: Low
> >>>
> >>> Vendor: The Apache Software Foundation
> >>>
> >>> Versions Affected: Apache Wicket 6.x and 1.5.x
> >>>
> >>> Description: Depending on the ISerializer set in the Wicket
> application,
> >>> it's possible that a Wicket's object deserialized from an untrusted
> >>> source
> >>> and utilized by the application to causes the code to enter in an
> >>> infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
> >>> Kryo, allows an attacker to hack its serialized form to put a client on
> >>> an
> >>> infinite loop if the client attempts to write on the
> >>> DeferredFileOutputStream attribute.
> >>>
> >>> Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17
> >>>
> >>> Credit: This issue was discovered by Jacob Baines, Tenable Network
> >>> Security and
> >>> Pedro Santos
> >>>
> >>> References: https://wicket.apache.org/news
> >>>
> >>>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>

Re: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability

Posted by durairaj t <du...@gmail.com>.

Thank you!

On Tue, Jan 3, 2017 at 4:11 PM, Tobias Soloschenko <
tobiassoloschenko@googlemail.com> wrote:

> Hi,
>
> but it is released. See here: https://mvnrepository.com/arti
> fact/org.apache.wicket/wicket-core/1.5.17
>
> kind regards
>
> Tobias
>
> Am 03.01.17 um 21:25 schrieb durairaj t:
>
>> I can see the Wicket 1.5.16 but not 1.5.17 in "
>> https://wicket.apache.org/start/wicket-1.5.x.html#download".
>>
>>
>>
>> On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:
>>
>> CVE-2016-6793: Apache Wicket deserialization vulnerability
>>>
>>> Severity: Low
>>>
>>> Vendor: The Apache Software Foundation
>>>
>>> Versions Affected: Apache Wicket 6.x and 1.5.x
>>>
>>> Description: Depending on the ISerializer set in the Wicket application,
>>> it's possible that a Wicket's object deserialized from an untrusted
>>> source
>>> and utilized by the application to causes the code to enter in an
>>> infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
>>> Kryo, allows an attacker to hack its serialized form to put a client on
>>> an
>>> infinite loop if the client attempts to write on the
>>> DeferredFileOutputStream attribute.
>>>
>>> Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17
>>>
>>> Credit: This issue was discovered by Jacob Baines, Tenable Network
>>> Security and
>>> Pedro Santos
>>>
>>> References: https://wicket.apache.org/news
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>

Re: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability

Posted by Tobias Soloschenko <to...@googlemail.com>.

Hi,

but it is released. See here: 
https://mvnrepository.com/artifact/org.apache.wicket/wicket-core/1.5.17

kind regards

Tobias

Am 03.01.17 um 21:25 schrieb durairaj t:
> I can see the Wicket 1.5.16 but not 1.5.17 in "
> https://wicket.apache.org/start/wicket-1.5.x.html#download".
>
>
>
> On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:
>
>> CVE-2016-6793: Apache Wicket deserialization vulnerability
>>
>> Severity: Low
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: Apache Wicket 6.x and 1.5.x
>>
>> Description: Depending on the ISerializer set in the Wicket application,
>> it's possible that a Wicket's object deserialized from an untrusted source
>> and utilized by the application to causes the code to enter in an
>> infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
>> Kryo, allows an attacker to hack its serialized form to put a client on an
>> infinite loop if the client attempts to write on the
>> DeferredFileOutputStream attribute.
>>
>> Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17
>>
>> Credit: This issue was discovered by Jacob Baines, Tenable Network
>> Security and
>> Pedro Santos
>>
>> References: https://wicket.apache.org/news
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org

Re: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability

Posted by durairaj t <du...@gmail.com>.

I can see the Wicket 1.5.16 but not 1.5.17 in "
https://wicket.apache.org/start/wicket-1.5.x.html#download".



On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:

> CVE-2016-6793: Apache Wicket deserialization vulnerability
>
> Severity: Low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: Apache Wicket 6.x and 1.5.x
>
> Description: Depending on the ISerializer set in the Wicket application,
> it's possible that a Wicket's object deserialized from an untrusted source
> and utilized by the application to causes the code to enter in an
> infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
> Kryo, allows an attacker to hack its serialized form to put a client on an
> infinite loop if the client attempts to write on the
> DeferredFileOutputStream attribute.
>
> Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17
>
> Credit: This issue was discovered by Jacob Baines, Tenable Network
> Security and
> Pedro Santos
>
> References: https://wicket.apache.org/news
>