Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id DEC86200BA0 for ; Thu, 29 Sep 2016 19:03:12 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id DD874160AC1; Thu, 29 Sep 2016 17:03:12 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 2906A160AE3 for ; Thu, 29 Sep 2016 19:03:12 +0200 (CEST) Received: (qmail 81270 invoked by uid 500); 29 Sep 2016 17:03:10 -0000 Mailing-List: contact dev-help@myfaces.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "MyFaces Development" Delivered-To: mailing list dev@myfaces.apache.org Received: (qmail 80556 invoked by uid 99); 29 Sep 2016 17:03:10 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 29 Sep 2016 17:03:10 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 9B07FCB9AF; Thu, 29 Sep 2016 17:03:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.48 X-Spam-Level: X-Spam-Status: No, score=0.48 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id I25XLuI0ynE3; Thu, 29 Sep 2016 17:03:08 +0000 (UTC) Received: from mail-oi0-f45.google.com (mail-oi0-f45.google.com [209.85.218.45]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id B6D5C5FE2A; Thu, 29 Sep 2016 17:03:07 +0000 (UTC) Received: by mail-oi0-f45.google.com with SMTP id w11so100362013oia.2; Thu, 29 Sep 2016 10:03:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-transfer-encoding; bh=Ozz+WJg7kpMtzW6vhqeTbbqPjj4AnXBPeHZLf0c6bwI=; b=jNpBFrmsHf487E3mbdGqTn0f+p7nqA0Hlg7744IzZvDKAZmFYZQLKo/fBxcE/qgIg/ oez9mniwmuBEbfCZUETynGdJroUDtrMz4Ccm7vsv/V9CA1UtkkdhfZEPkVMy0C1ztCmQ 009a0b8b+YXqkMQp/OmCX8+Kdagy12Ca06n7ZySZwfrCMhNUm8mbRzt3fRfSw0e2bArF 5XRMZPJ9tjrlo09UZXtt0H+Bow5Ej1Kqf/D4Kg9mSIKTjZscKkNa2fu6PAu1BCHGvGx3 079r5c2pSTo/188Oyw8Inh60k2Ac5AjlSZvLlJGGN38FL6V1hMLMP/ayx9T6Cpf33m6j iGdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-transfer-encoding; bh=Ozz+WJg7kpMtzW6vhqeTbbqPjj4AnXBPeHZLf0c6bwI=; b=dto/seBPvf5XlZVeaxS33ZMEN65iHnzdlANcp8KzMVfQDDOKe1JSjZAACsNno3P9ru CuJIrxSQAk25BzA2I6wo9kEy4tjgw1SFgOIVIwLxIQEP+FCGEqCZkOpJt0Lv1d7zw3Yc I67/3UowpLUW1KLbHf0lmBcbfXTodmIn/Ezpy6CyGGgeo3LTAaFMPggdGARAv9MQlYAy Eu5BzEwRdj3uYeGz2V0JO5nGzmzE/FMx9cMv9p2SROGj5vRVf/GPnSNsKhEkEPT91d+I cIdn4PAwH0TR1DaxwZxTj71ok2vTqM7YlINKeXVVUwt76Je+4eXzyzU3xE2Hhbla5MQk JVSw== X-Gm-Message-State: AA6/9RkMjKV6mXeguneBGmo7W3OQdl3yUDcG1erkdFttL0MvV+Jgf3a7b8L7BnTcLJwSQJPNNW1ZCWXhWGgtnw== X-Received: by 10.202.206.211 with SMTP id e202mr2128942oig.183.1475168586264; Thu, 29 Sep 2016 10:03:06 -0700 (PDT) MIME-Version: 1.0 Sender: mkienenb@gmail.com Received: by 10.157.24.20 with HTTP; Thu, 29 Sep 2016 10:02:45 -0700 (PDT) In-Reply-To: References: From: Mike Kienenberger Date: Thu, 29 Sep 2016 13:02:45 -0400 X-Google-Sender-Auth: tx78KQqGz24LUlBnuISVryZMvU0 Message-ID: Subject: Re: CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability To: announce@myfaces.apache.org, MyFaces Development , MyFaces Discussion Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable archived-at: Thu, 29 Sep 2016 17:03:13 -0000 Clarification: The first line in this CVE [1] was a copy&paste error during message composition and is not part of the CVE. This line can make it sound as if CVE-2016-5019 is only an information disclosure vulnerability rather than a deserialization attack vector. I apologize for the confusion. On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger wr= ote: > CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerabilit= y > > Severity: Important > > Vendor: > The Apache Software Foundation > > Versions Affected: > Trinidad from 1.0.0 to 1.0.13 > Trinidad from 1.2.1 to 1.2.14 > Trinidad from 2.0.0 to 2.0.1 > Trinidad from 2.1.0 to 2.1.1 > > Description: > > Trinidad=E2=80=99s CoreResponseStateManager both reads and writes view st= ate > strings using > ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad > bypasses the > view state security features provided by the JSF implementations - ie. th= e view > state is not encrypted and is not MAC=E2=80=99ed. > > Trinidad=E2=80=99s CoreResponseStateManager will blindly deserialize untr= usted > view state > strings, which makes Trinidad-based applications vulnerable to deserializ= ation > attacks. > > Mitigation: > > All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or > 1.2.15 and > enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and = related > web configuration parameters. > See http://wiki.apache.org/myfaces/Secure_Your_Application for details. > > Upgrading all Commons Collections jars on the class path to 3.2.2/4.1 > will prevent > certain well-known vectors of attack, but will not entirely resolve this = issue. > > References: > https://issues.apache.org/jira/browse/TRINIDAD-2542 > > This issue was discovered by Teemu K=C3=A4=C3=A4ri=C3=A4inen and reported= by Andy Schwartz