myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Stöckli (JIRA) <...@myfaces.apache.org>
Subject [jira] [Comment Edited] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
Date Fri, 18 Aug 2017 15:14:00 GMT

    [ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16133041#comment-16133041
] 

Peter Stöckli edited comment on MYFACES-4133 at 8/18/17 3:13 PM:
-----------------------------------------------------------------

[~lu4242]:
I propose following steps:
# Don't serialize/deserialize ViewState-IDs
# If you say the ViewState encryption should never be disabled then don't allow the ViewState
to be disabled. Remove the param {{org.apache.myfaces.USE_ENCRYPTION}} and throw an exception
at start up if that param is set to {{false}} with a message like: "You must not disable ViewState
encryption/auth! Assume all systems that had ViewState encryption disabled to be breached!"
# As you proposed: Upgrade the default encryption and HMAC algorithms.


was (Author: stockli):
[~lu4242]:
I propose following steps:
# Don't serialize/deserialize ViewState-IDs
# If you say the ViewState encryption should never be disabled then don't allow the ViewState
to be disabled! Remove the param {{org.apache.myfaces.USE_ENCRYPTION}} and throw an exception
at start up if that param is set to false with a message like: "You must not disable ViewState
encryption/auth! Assume all systems that had ViewState encryption disabled to be breached!"
# Upgrade the default encryption and HMAC algorithms.

> Don't deserialize the ViewState-ID if the state saving method is server
> -----------------------------------------------------------------------
>
>                 Key: MYFACES-4133
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4133
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 2.2.12
>            Reporter: Peter Stöckli
>
> Currently the ViewState-ID provided by the user is deserialized via Java deserialization
even when the {{javax.faces.STATE_SAVING_METHOD}} is set to {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower than just
sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting {{org.apache.myfaces.USE_ENCRYPTION}}
to {{false}} (against the [MyFaces security advice|https://wiki.apache.org/myfaces/Secure_Your_Application])
he might have unintentionally introduced a dangerous remote code execution (RCE) vulnerability
as described [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message