Clarification: The first line in this CVE [1] was a copy&paste error
during message composition and is not part of the CVE. This line can
make it sound as if CVE-2016-5019 is only an information disclosure
vulnerability rather than a deserialization attack vector. I
apologize for the confusion.
On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger <mkienenb (at) gmail (dot) com [email concealed]> wrote:
> CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Trinidad from 1.0.0 to 1.0.13
> Trinidad from 1.2.1 to 1.2.14
> Trinidad from 2.0.0 to 2.0.1
> Trinidad from 2.1.0 to 2.1.1
>
> Description:
>
> Trinidadâ??s CoreResponseStateManager both reads and writes view state
> strings using
> ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad
> bypasses the
> view state security features provided by the JSF implementations - ie. the view
> state is not encrypted and is not MACâ??ed.
>
> Trinidadâ??s CoreResponseStateManager will blindly deserialize untrusted
> view state
> strings, which makes Trinidad-based applications vulnerable to deserialization
> attacks.
>
> Mitigation:
>
> All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or
> 1.2.15 and
> enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related
> web configuration parameters.
> See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
>
> Upgrading all Commons Collections jars on the class path to 3.2.2/4.1
> will prevent
> certain well-known vectors of attack, but will not entirely resolve this issue.
>
> References:
> https://issues.apache.org/jira/browse/TRINIDAD-2542
>
> This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz
during message composition and is not part of the CVE. This line can
make it sound as if CVE-2016-5019 is only an information disclosure
vulnerability rather than a deserialization attack vector. I
apologize for the confusion.
On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger <mkienenb (at) gmail (dot) com [email concealed]> wrote:
> CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Trinidad from 1.0.0 to 1.0.13
> Trinidad from 1.2.1 to 1.2.14
> Trinidad from 2.0.0 to 2.0.1
> Trinidad from 2.1.0 to 2.1.1
>
> Description:
>
> Trinidadâ??s CoreResponseStateManager both reads and writes view state
> strings using
> ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad
> bypasses the
> view state security features provided by the JSF implementations - ie. the view
> state is not encrypted and is not MACâ??ed.
>
> Trinidadâ??s CoreResponseStateManager will blindly deserialize untrusted
> view state
> strings, which makes Trinidad-based applications vulnerable to deserialization
> attacks.
>
> Mitigation:
>
> All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or
> 1.2.15 and
> enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related
> web configuration parameters.
> See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
>
> Upgrading all Commons Collections jars on the class path to 3.2.2/4.1
> will prevent
> certain well-known vectors of attack, but will not entirely resolve this issue.
>
> References:
> https://issues.apache.org/jira/browse/TRINIDAD-2542
>
> This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz
[ reply ]