myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Martin (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Commented] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability
Date Thu, 29 Sep 2016 16:38:20 GMT

    [ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15533270#comment-15533270
] 

Brian Martin commented on TRINIDAD-2542:
----------------------------------------

Generally, deserialization attacks lead to remote code execution or file manipulation. The
oss-sec post for this issue [1] says "deserialization security vulnerability" in the subject
(and title here), but then calls it "information disclosure vulnerability" below. Can you
confirm the impact of this vulnerability? Thanks!


[1] http://seclists.org/oss-sec/2016/q3/667

> CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability
> ---------------------------------------------------------------------------------
>
>                 Key: TRINIDAD-2542
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-2542
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>          Components: Components
>    Affects Versions: 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core
>            Reporter: Mike Kienenberger
>            Assignee: Leonardo Uribe
>            Priority: Critical
>             Fix For: 1.2.15-core , 2.0.2-core, 2.1.2-core
>
>
> Trinidad’s CoreResponseStateManager both reads and writes view state strings using
ObjectInputStream/ObjectOutputStream directly.  By doing so, Trinidad bypasses the view state
security features provided by the JSF implementations - ie. the view state is not encrypted
and is not MAC’ed.
> Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view state strings,
which makes Trinidad-based applications vulnerable to deserialization attacks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message