Re: CVE request: Mojarra allows deployed web applications to read FacesContext from other applications

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/06/2012 08:02 PM, David Jorm wrote:
> Could a CVE please be assigned for this issue:
>
> It was found that in Mojarra, the FacesContext that is made
> available during application startup is held in a ThreadLocal. The
> reference is not properly cleaned up in all cases. As a result, if
> a JSF WAR calls FacesContext.getCurrentInstance() during
> application startup, another WAR can get access to the leftover
> context and thus get access to the other WAR's resources.
>
> References: Upstream Mojarra bug:
> http://java.net/jira/browse/JAVASERVERFACES-2436 Bug for
> JBoss-specific impacts:
> https://issues.jboss.org/browse/JBPAPP-9197
>
> Thanks

Please use CVE-2012-2672 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJP0BgFAAoJEBYNRVNeJnmTQ8MP/36Pjn/wI3mr4cPIlKZnorx+
DtUT0sgolqZlzISvDewIIWE3lGBx3/q5Wcl7We0Pbs8C3zgU6zDMnEAp2hCoibTR
qxQji5sJVVMOucQg1qoleeINPNoM0zNFJzkTf0dI+UrI+DoFjOi3uEQPxF11bOQi
inDagx6Rws0+pX5xNEpakQeX/WHh8MoB6e0tr2bPVOgWerXIMvgTVPmXKTtjH0gw
JuPd0EOcYHSBy2I5XM2tDORm/va/wOPn/TIqOQeH/dSA/iX13eVaVy+SomsvHpkB
ioseSDHHS4v+7/V/lCYUOo05f8COMT4HYpVA85hBQP5vwwX1afXV213AkfPlpGB4
kM3gcwr+v/gL9CmPyKFCLBmbHgdBMxGVk7AbSmvvZ2F52E7zEYGIR+CNZLz55aC8
OoR20rK4umqJEfraBMa4zOnFBuE9twSxO7kdCGDAJcnqTPKkBo/tQKqmViKPvOph
5DhRCWKQeWitnLW/ZNFQfTa4ZLfvsH1BERntSeWeFpwsaY/t0HqTw+5wcdBRqAiY
ZXic3ZTmidxAnn/hhrF/8gEERlgp7r4TqcTX+16XE0rfyqsoB2hr+BfUy2O30nX8
0An4qf9cdYLhDJO4bURpMT5zGUZ2ZKyk4SuZogj3/PJBGAecgIv11TGMhk8Ufzhv
DlDOg3pw0Jr6pkUraOV8
=6u/u
-----END PGP SIGNATURE-----