You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by pe...@apache.org on 2016/12/31 06:49:04 UTC

wicket-site git commit: Announcing CVE-2016-6793: Apache Wicket deserialization vulnerability

Repository: wicket-site
Updated Branches:
  refs/heads/asf-site 43935ae59 -> c202a1f61


Announcing CVE-2016-6793: Apache Wicket deserialization vulnerability


Project: http://git-wip-us.apache.org/repos/asf/wicket-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket-site/commit/c202a1f6
Tree: http://git-wip-us.apache.org/repos/asf/wicket-site/tree/c202a1f6
Diff: http://git-wip-us.apache.org/repos/asf/wicket-site/diff/c202a1f6

Branch: refs/heads/asf-site
Commit: c202a1f616f460643bf82441480946e3f689f884
Parents: 43935ae
Author: Pedro Henrique Oliveira dos Santos <pe...@apache.org>
Authored: Sat Dec 31 06:47:08 2016 +0000
Committer: Pedro Henrique Oliveira dos Santos <pe...@apache.org>
Committed: Sat Dec 31 06:47:08 2016 +0000

----------------------------------------------------------------------
 2016/_posts/2016-12-31-cve-2016-6793.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket-site/blob/c202a1f6/2016/_posts/2016-12-31-cve-2016-6793.md
----------------------------------------------------------------------
diff --git a/2016/_posts/2016-12-31-cve-2016-6793.md b/2016/_posts/2016-12-31-cve-2016-6793.md
new file mode 100644
index 0000000..15a63f9
--- /dev/null
+++ b/2016/_posts/2016-12-31-cve-2016-6793.md
@@ -0,0 +1,24 @@
+---
+layout: post
+title: CVE-2016-6793 Apache Wicket deserialization vulnerability
+---
+
+*Severity*: Low
+
+*Vendor*: The Apache Software Foundation
+
+*Versions Affected*: Apache Wicket 6.x and 1.5.x
+
+*Description*: Depending on the ISerializer set in the Wicket application, 
+it's possible that a Wicket's object deserialized from an untrusted source 
+and utilized by the application to causes the code to enter in an infinite 
+loop. Specifically, Wicket's DiskFileItem class, serialized by Kryo, allows 
+an attacker to hack its serialized form to put a client on an infinite loop 
+if the client attempts to write on the DeferredFileOutputStream attribute.
+
+*Mitigation*: Upgrade to Apache Wicket 6.25.0 or 1.5.17
+
+*Credit*: This issue was discovered 
+by Jacob Baines, Tenable Network Security and Pedro Santos
+
+References: https://wicket.apache.org/news