lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAM1yOjYJKT=43rt8=GH7DKO6_sMNyR2tV45OxUnBGPaQN=XtGA@mail.gmail.com>
Date: Thu, 29 Sep 2016 13:01:22 -0400
From: Mike Kienenberger <mkienenb@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: CVE-2016-5019: MyFaces Trinidad view state deserialization
 security vulnerability

Clarification: The first line in this CVE [1] was a copy&paste error
during message composition and is not part of the CVE.  This line can
make it sound as if CVE-2016-5019 is only an information disclosure
vulnerability rather than a deserialization attack vector.  I
apologize for the confusion.

On Thu, Sep 29, 2016 at 11:50 AM, Mike Kienenberger <mkienenb@...il.com> wrote:
> CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
>
> Severity: Important
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Trinidad from 1.0.0 to 1.0.13
> Trinidad from 1.2.1 to 1.2.14
> Trinidad from 2.0.0 to 2.0.1
> Trinidad from 2.1.0 to 2.1.1
>
> Description:
>
> Trinidad’s CoreResponseStateManager both reads and writes view state
> strings using
> ObjectInputStream/ObjectOutputStream directly.  By doing so, Trinidad
> bypasses the
> view state security features provided by the JSF implementations - ie. the view
> state is not encrypted and is not MAC’ed.
>
> Trinidad’s CoreResponseStateManager will blindly deserialize untrusted
> view state
> strings, which makes Trinidad-based applications vulnerable to deserialization
> attacks.
>
> Mitigation:
>
> All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or
> 1.2.15 and
> enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related
> web configuration parameters.
> See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
>
> Upgrading all Commons Collections jars on the class path to 3.2.2/4.1
> will prevent
> certain well-known vectors of attack, but will not entirely resolve this issue.
>
> References:
> https://issues.apache.org/jira/browse/TRINIDAD-2542
>
> This issue was discovered by Teemu Kääriäinen and reported by Andy Schwartz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ