Clarification: The first line in this CVE [1] was a copy&paste error during message composition and is not part of the CVE. This line can make it sound as if CVE-2016-5019 is only an information disclosure vulnerability rather than a deserialization attack vector. I apologize for the confusion.
On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger <mkien...@gmail.com> wrote: > CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability > > Severity: Important > > Vendor: > The Apache Software Foundation > > Versions Affected: > Trinidad from 1.0.0 to 1.0.13 > Trinidad from 1.2.1 to 1.2.14 > Trinidad from 2.0.0 to 2.0.1 > Trinidad from 2.1.0 to 2.1.1 > > Description: > > Trinidad’s CoreResponseStateManager both reads and writes view state > strings using > ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad > bypasses the > view state security features provided by the JSF implementations - ie. the > view > state is not encrypted and is not MAC’ed. > > Trinidad’s CoreResponseStateManager will blindly deserialize untrusted > view state > strings, which makes Trinidad-based applications vulnerable to deserialization > attacks. > > Mitigation: > > All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or > 1.2.15 and > enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and > related > web configuration parameters. > See http://wiki.apache.org/myfaces/Secure_Your_Application for details. > > Upgrading all Commons Collections jars on the class path to 3.2.2/4.1 > will prevent > certain well-known vectors of attack, but will not entirely resolve this > issue. > > References: > https://issues.apache.org/jira/browse/TRINIDAD-2542 > > This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz