[jira] [Resolved] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

Mike Kienenberger (JIRA) Thu, 29 Sep 2016 09:01:56 -0700

     [ 
https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Mike Kienenberger resolved TRINIDAD-2542.
-----------------------------------------
       Resolution: Fixed
         Assignee: Leonardo Uribe
    Fix Version/s: 2.1.2-core
                   2.0.2-core
                   1.2.15-core 

> CVE-2016-5019: MyFaces Trinidad view state deserialization security 
> vulnerability
> ---------------------------------------------------------------------------------
>
>                 Key: TRINIDAD-2542
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-2542
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>          Components: Components
>    Affects Versions: 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core
>            Reporter: Mike Kienenberger
>            Assignee: Leonardo Uribe
>            Priority: Critical
>             Fix For: 1.2.15-core , 2.0.2-core, 2.1.2-core
>
>
> Trinidad’s CoreResponseStateManager both reads and writes view state strings 
> using ObjectInputStream/ObjectOutputStream directly.  By doing so, Trinidad 
> bypasses the view state security features provided by the JSF implementations 
> - ie. the view state is not encrypted and is not MAC’ed.
> Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view 
> state strings, which makes Trinidad-based applications vulnerable to 
> deserialization attacks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Resolved] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

Reply via email to