[ https://issues.apache.org/jira/browse/MYFACES-2749?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12896828#action_12896828 ]
Mark Cox commented on MYFACES-2749: ----------------------------------- This is CVE-2010-2057 > Encrypted View State does not include Message Authentication Code (MAC) > ----------------------------------------------------------------------- > > Key: MYFACES-2749 > URL: https://issues.apache.org/jira/browse/MYFACES-2749 > Project: MyFaces Core > Issue Type: Bug > Affects Versions: 1.1.7, 1.2.8, 2.0.0 > Reporter: Leonardo Uribe > Assignee: Leonardo Uribe > Fix For: 1.1.8, 1.2.9, 2.0.1 > > > Both myfaces and mojarra only encrypt the state. What is missing is add a > message authentication code (MAC) to the encryption to prevent padding oracle > attack. The objective is detect if the received view state has been modified > and do not process it, throwing ViewExpiredException. > The problem can be solved if users change to server side state saving, > because on the view state only a identifier is sent and no changes on the > component tree could be done with this configuration. > The proposed solution was add this new web-config params: > org.apache.myfaces.MAC_ALGORITHM : Indicate the algorithm used to calculate > the Message Authentication Code that is added to the view state. > org.apache.myfaces.MAC_SECRET : Define the initialization code that are used > to initialize the secret key used on the Message Authentication Code > algorithm. > org.apache.myfaces.MAC_SECRET.CACHE : If is set to "false", the secret key > used for MAC algorithm is not cached. This is used when the returned > SecretKey for mac algorithm is not thread safe. > It was unified security configuration in all branches to works the same. That > means, it was included in 1.1.x the property > org.apache.myfaces.USE_ENCRYPTION. > Now, if an error occur when the state is encrypted/decrypted, a > ViewExpiredException is thrown, but the real exception is logged, to hide > information that could be useful to non developers. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.