[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability



Clarification: The first line in this CVE [1] was a copy&paste error
during message composition and is not part of the CVE.  This line can
make it sound as if CVE-2016-5019 is only an information disclosure
vulnerability rather than a deserialization attack vector.  I
apologize for the confusion.

On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger <mkienenb@xxxxxxxxx> wrote:
> CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Trinidad from 1.0.0 to 1.0.13
> Trinidad from 1.2.1 to 1.2.14
> Trinidad from 2.0.0 to 2.0.1
> Trinidad from 2.1.0 to 2.1.1
>
> Description:
>
> Trinidad’s CoreResponseStateManager both reads and writes view state
> strings using
> ObjectInputStream/ObjectOutputStream directly.  By doing so, Trinidad
> bypasses the
> view state security features provided by the JSF implementations - ie. the view
> state is not encrypted and is not MAC’ed.
>
> Trinidad’s CoreResponseStateManager will blindly deserialize untrusted
> view state
> strings, which makes Trinidad-based applications vulnerable to deserialization
> attacks.
>
> Mitigation:
>
> All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or
> 1.2.15 and
> enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related
> web configuration parameters.
> See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
>
> Upgrading all Commons Collections jars on the class path to 3.2.2/4.1
> will prevent
> certain well-known vectors of attack, but will not entirely resolve this issue.
>
> References:
> https://issues.apache.org/jira/browse/TRINIDAD-2542
>
> This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz