You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@wicket.apache.org by durairaj t <du...@gmail.com> on 2017/01/03 20:25:30 UTC

Re: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability

I can see the Wicket 1.5.16 but not 1.5.17 in "
https://wicket.apache.org/start/wicket-1.5.x.html#download".



On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:

> CVE-2016-6793: Apache Wicket deserialization vulnerability
>
> Severity: Low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: Apache Wicket 6.x and 1.5.x
>
> Description: Depending on the ISerializer set in the Wicket application,
> it's possible that a Wicket's object deserialized from an untrusted source
> and utilized by the application to causes the code to enter in an
> infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
> Kryo, allows an attacker to hack its serialized form to put a client on an
> infinite loop if the client attempts to write on the
> DeferredFileOutputStream attribute.
>
> Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17
>
> Credit: This issue was discovered by Jacob Baines, Tenable Network
> Security and
> Pedro Santos
>
> References: https://wicket.apache.org/news
>

Re: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability

Posted by Martin Grigorov <mg...@apache.org>.

The site has been updated to use 1.5.17.
Thanks for letting us know!

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Tue, Jan 3, 2017 at 10:24 PM, durairaj t <du...@gmail.com> wrote:

> Thank you!
>
> On Tue, Jan 3, 2017 at 4:11 PM, Tobias Soloschenko <
> tobiassoloschenko@googlemail.com> wrote:
>
> > Hi,
> >
> > but it is released. See here: https://mvnrepository.com/arti
> > fact/org.apache.wicket/wicket-core/1.5.17
> >
> > kind regards
> >
> > Tobias
> >
> > Am 03.01.17 um 21:25 schrieb durairaj t:
> >
> >> I can see the Wicket 1.5.16 but not 1.5.17 in "
> >> https://wicket.apache.org/start/wicket-1.5.x.html#download".
> >>
> >>
> >>
> >> On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:
> >>
> >> CVE-2016-6793: Apache Wicket deserialization vulnerability
> >>>
> >>> Severity: Low
> >>>
> >>> Vendor: The Apache Software Foundation
> >>>
> >>> Versions Affected: Apache Wicket 6.x and 1.5.x
> >>>
> >>> Description: Depending on the ISerializer set in the Wicket
> application,
> >>> it's possible that a Wicket's object deserialized from an untrusted
> >>> source
> >>> and utilized by the application to causes the code to enter in an
> >>> infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
> >>> Kryo, allows an attacker to hack its serialized form to put a client on
> >>> an
> >>> infinite loop if the client attempts to write on the
> >>> DeferredFileOutputStream attribute.
> >>>
> >>> Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17
> >>>
> >>> Credit: This issue was discovered by Jacob Baines, Tenable Network
> >>> Security and
> >>> Pedro Santos
> >>>
> >>> References: https://wicket.apache.org/news
> >>>
> >>>
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > For additional commands, e-mail: users-help@wicket.apache.org
> >
> >
>

Re: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability

Posted by durairaj t <du...@gmail.com>.

Thank you!

On Tue, Jan 3, 2017 at 4:11 PM, Tobias Soloschenko <
tobiassoloschenko@googlemail.com> wrote:

> Hi,
>
> but it is released. See here: https://mvnrepository.com/arti
> fact/org.apache.wicket/wicket-core/1.5.17
>
> kind regards
>
> Tobias
>
> Am 03.01.17 um 21:25 schrieb durairaj t:
>
>> I can see the Wicket 1.5.16 but not 1.5.17 in "
>> https://wicket.apache.org/start/wicket-1.5.x.html#download".
>>
>>
>>
>> On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:
>>
>> CVE-2016-6793: Apache Wicket deserialization vulnerability
>>>
>>> Severity: Low
>>>
>>> Vendor: The Apache Software Foundation
>>>
>>> Versions Affected: Apache Wicket 6.x and 1.5.x
>>>
>>> Description: Depending on the ISerializer set in the Wicket application,
>>> it's possible that a Wicket's object deserialized from an untrusted
>>> source
>>> and utilized by the application to causes the code to enter in an
>>> infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
>>> Kryo, allows an attacker to hack its serialized form to put a client on
>>> an
>>> infinite loop if the client attempts to write on the
>>> DeferredFileOutputStream attribute.
>>>
>>> Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17
>>>
>>> Credit: This issue was discovered by Jacob Baines, Tenable Network
>>> Security and
>>> Pedro Santos
>>>
>>> References: https://wicket.apache.org/news
>>>
>>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>

Re: [ANNOUNCE] CVE-2016-6793 Apache Wicket deserialization vulnerability

Posted by Tobias Soloschenko <to...@googlemail.com>.

Hi,

but it is released. See here: 
https://mvnrepository.com/artifact/org.apache.wicket/wicket-core/1.5.17

kind regards

Tobias

Am 03.01.17 um 21:25 schrieb durairaj t:
> I can see the Wicket 1.5.16 but not 1.5.17 in "
> https://wicket.apache.org/start/wicket-1.5.x.html#download".
>
>
>
> On Sat, Dec 31, 2016 at 2:21 AM, Pedro Santos <pe...@apache.org> wrote:
>
>> CVE-2016-6793: Apache Wicket deserialization vulnerability
>>
>> Severity: Low
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected: Apache Wicket 6.x and 1.5.x
>>
>> Description: Depending on the ISerializer set in the Wicket application,
>> it's possible that a Wicket's object deserialized from an untrusted source
>> and utilized by the application to causes the code to enter in an
>> infinite loop. Specifically, Wicket's DiskFileItem class, serialized by
>> Kryo, allows an attacker to hack its serialized form to put a client on an
>> infinite loop if the client attempts to write on the
>> DeferredFileOutputStream attribute.
>>
>> Mitigation: Upgrade to Apache Wicket 6.25.0 or 1.5.17
>>
>> Credit: This issue was discovered by Jacob Baines, Tenable Network
>> Security and
>> Pedro Santos
>>
>> References: https://wicket.apache.org/news
>>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org