Bugtraq mailing list archives
Re: CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability
From: Mike Kienenberger <mkienenb () gmail com>
Date: Thu, 29 Sep 2016 13:01:22 -0400
Clarification: The first line in this CVE [1] was a copy&paste error during message composition and is not part of the CVE. This line can make it sound as if CVE-2016-5019 is only an information disclosure vulnerability rather than a deserialization attack vector. I apologize for the confusion. On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger <mkienenb () gmail com> wrote:
CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability Severity: Important Vendor: The Apache Software Foundation Versions Affected: Trinidad from 1.0.0 to 1.0.13 Trinidad from 1.2.1 to 1.2.14 Trinidad from 2.0.0 to 2.0.1 Trinidad from 2.1.0 to 2.1.1 Description: Trinidad’s CoreResponseStateManager both reads and writes view state strings using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad bypasses the view state security features provided by the JSF implementations - ie. the view state is not encrypted and is not MAC’ed. Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view state strings, which makes Trinidad-based applications vulnerable to deserialization attacks. Mitigation: All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or 1.2.15 and enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related web configuration parameters. See http://wiki.apache.org/myfaces/Secure_Your_Application for details. Upgrading all Commons Collections jars on the class path to 3.2.2/4.1 will prevent certain well-known vectors of attack, but will not entirely resolve this issue. References: https://issues.apache.org/jira/browse/TRINIDAD-2542 This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz
Current thread:
- Re: CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability Mike Kienenberger (Sep 29)