[jira] Commented: (MYFACES-2749) Encrypted View State does not include Message Authentication Code (MAC)

Tue, 10 Aug 2010 02:33:43 -0700 

    [ 
https://issues.apache.org/jira/browse/MYFACES-2749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12896828#action_12896828
 ] 

Mark Cox commented on MYFACES-2749:
-----------------------------------

This is CVE-2010-2057

> Encrypted View State does not include Message Authentication Code (MAC)
> -----------------------------------------------------------------------
>
>                 Key: MYFACES-2749
>                 URL: https://issues.apache.org/jira/browse/MYFACES-2749
>             Project: MyFaces Core
>          Issue Type: Bug
>    Affects Versions: 1.1.7, 1.2.8, 2.0.0
>            Reporter: Leonardo Uribe
>            Assignee: Leonardo Uribe
>             Fix For: 1.1.8, 1.2.9, 2.0.1
>
>
> Both myfaces and mojarra only encrypt the state. What is missing is add a 
> message authentication code (MAC) to the encryption to prevent padding oracle 
> attack. The objective is detect if the received view state has been modified 
> and do not process it, throwing ViewExpiredException.
> The problem can be solved if users change to server side state saving, 
> because on the view state only a identifier is sent and no changes on the 
> component tree could be done with this configuration.
> The proposed solution was add this new web-config params:
> org.apache.myfaces.MAC_ALGORITHM : Indicate the algorithm used to calculate 
> the Message Authentication Code that is added to the view state.
> org.apache.myfaces.MAC_SECRET : Define the initialization code that are used 
> to initialize the secret key used on the Message Authentication Code 
> algorithm.
> org.apache.myfaces.MAC_SECRET.CACHE : If is set to "false", the secret key 
> used for MAC algorithm is not cached. This is used when the returned 
> SecretKey for mac algorithm is not thread safe. 
> It was unified security configuration in all branches to works the same. That 
> means, it was included in 1.1.x the property 
> org.apache.myfaces.USE_ENCRYPTION.
> Now, if an error occur when the state is encrypted/decrypted, a 
> ViewExpiredException is thrown, but the real exception is logged, to hide 
> information that could be useful to non developers.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to