You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Mike Kienenberger (JIRA)" <de...@myfaces.apache.org> on 2016/09/29 16:02:20 UTC
[jira] [Commented] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad
view state deserialization security vulnerability
[ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15533170#comment-15533170 ]
Mike Kienenberger commented on TRINIDAD-2542:
---------------------------------------------
All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or 1.2.15 and
enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related
web configuration parameters.
See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
Upgrading all Commons Collections jars on the class path to 3.2.2/4.1 will prevent
certain well-known vectors of attack, but will not entirely resolve this issue.
> CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability
> ---------------------------------------------------------------------------------
>
> Key: TRINIDAD-2542
> URL: https://issues.apache.org/jira/browse/TRINIDAD-2542
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core
> Reporter: Mike Kienenberger
> Assignee: Leonardo Uribe
> Priority: Critical
> Fix For: 1.2.15-core , 2.0.2-core, 2.1.2-core
>
>
> Trinidad’s CoreResponseStateManager both reads and writes view state strings using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad bypasses the view state security features provided by the JSF implementations - ie. the view state is not encrypted and is not MAC’ed.
> Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view state strings, which makes Trinidad-based applications vulnerable to deserialization attacks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)