[jira] [Commented] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability
[ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15533282#comment-15533282 ] Mike Kienenberger commented on TRINIDAD-2542: - The "information disclosure vulnerability" was a cut error. It should be "deserialization security vulnerability" -- I'll see what I can do to get that corrected. > CVE-2016-5019: MyFaces Trinidad view state deserialization security > vulnerability > - > > Key: TRINIDAD-2542 > URL: https://issues.apache.org/jira/browse/TRINIDAD-2542 > Project: MyFaces Trinidad > Issue Type: Bug > Components: Components >Affects Versions: 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core >Reporter: Mike Kienenberger >Assignee: Leonardo Uribe >Priority: Critical > Fix For: 1.2.15-core , 2.0.2-core, 2.1.2-core > > > Trinidad’s CoreResponseStateManager both reads and writes view state strings > using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad > bypasses the view state security features provided by the JSF implementations > - ie. the view state is not encrypted and is not MAC’ed. > Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view > state strings, which makes Trinidad-based applications vulnerable to > deserialization attacks. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability
[ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15533270#comment-15533270 ] Brian Martin commented on TRINIDAD-2542: Generally, deserialization attacks lead to remote code execution or file manipulation. The oss-sec post for this issue [1] says "deserialization security vulnerability" in the subject (and title here), but then calls it "information disclosure vulnerability" below. Can you confirm the impact of this vulnerability? Thanks! [1] http://seclists.org/oss-sec/2016/q3/667 > CVE-2016-5019: MyFaces Trinidad view state deserialization security > vulnerability > - > > Key: TRINIDAD-2542 > URL: https://issues.apache.org/jira/browse/TRINIDAD-2542 > Project: MyFaces Trinidad > Issue Type: Bug > Components: Components >Affects Versions: 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core >Reporter: Mike Kienenberger >Assignee: Leonardo Uribe >Priority: Critical > Fix For: 1.2.15-core , 2.0.2-core, 2.1.2-core > > > Trinidad’s CoreResponseStateManager both reads and writes view state strings > using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad > bypasses the view state security features provided by the JSF implementations > - ie. the view state is not encrypted and is not MAC’ed. > Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view > state strings, which makes Trinidad-based applications vulnerable to > deserialization attacks. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TRINIDAD-2542) CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability
[ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15533170#comment-15533170 ] Mike Kienenberger commented on TRINIDAD-2542: - All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or 1.2.15 and enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related web configuration parameters. See http://wiki.apache.org/myfaces/Secure_Your_Application for details. Upgrading all Commons Collections jars on the class path to 3.2.2/4.1 will prevent certain well-known vectors of attack, but will not entirely resolve this issue. > CVE-2016-5019: MyFaces Trinidad view state deserialization security > vulnerability > - > > Key: TRINIDAD-2542 > URL: https://issues.apache.org/jira/browse/TRINIDAD-2542 > Project: MyFaces Trinidad > Issue Type: Bug > Components: Components >Affects Versions: 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core >Reporter: Mike Kienenberger >Assignee: Leonardo Uribe >Priority: Critical > Fix For: 1.2.15-core , 2.0.2-core, 2.1.2-core > > > Trinidad’s CoreResponseStateManager both reads and writes view state strings > using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad > bypasses the view state security features provided by the JSF implementations > - ie. the view state is not encrypted and is not MAC’ed. > Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view > state strings, which makes Trinidad-based applications vulnerable to > deserialization attacks. -- This message was sent by Atlassian JIRA (v6.3.4#6332)