Bug 598164 (CVE-2010-2086)
Summary: | CVE-2010-2086 Apache MyFaces: XSS via state view | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | djorm, fnasser, pcheung, vdanen |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
JBoss Enterprise Web Server 1.0.0 ships with Apache MyFaces 1.1.0. Apache MyFaces 1.1.0 does not support encrypted
view state. When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. This allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.
JBoss Enterprise Web Server 1.0.1 and later does not ship with Apache MyFaces. Upgrading to JBoss Enterprise Web Server 1.0.1 or later is recommended to mitigate this issue.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2011-10-13 07:24:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 717649 |
Description
Jan Lieskovsky
2010-05-31 16:03:41 UTC
I believe that encryption support was added in MyFaces 1.1.1, so earlier versions would not be affected by this flaw. For instance, looking at MyFaces 1.1.0: myfaces-1.1.0-src/share/src/java/org/apache/myfaces% grep -r -i encryption * This yields nothing. Yet in 1.1.4: myfaces-core-1.1.4/source/org/apache/myfaces% grep -r -i encryption * shared_impl/util/StateUtils.java: * <p>This Class exposes a handful of methods related to encryption, ... Only StateUtils.java makes any mention of encryption. So, like CVE-2010-2057, this shouldn't affect myfaces-1.1.0. Can someone confirm please? From the trustwave advisory: "When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. The malicious view can contain arbitrary HTML code (allowing Cross-Site Scripting), and arbitrary Expression Language (EL) [11] statements that will be executed on the server. The EL statements can be used to read data stored in user-scoped session variables, and application or server-scoped variables. Since these variables should be inaccessible by the user, it is not uncommon to store sensitive data in them." The problem is that we *don't* have encryption enabled for client-side viewstate. We should upgrade to myfaces >= 1.1.9. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: JBoss Enterprise Web Server 1.0.0 ships with Apache MyFaces 1.1.0. Apache MyFaces 1.1.0 does not support encrypted view state. When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. This allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object. JBoss Enterprise Web Server 1.0.1 and later does not ship with Apache MyFaces. Upgrading to JBoss Enterprise Web Server 1.0.1 or later is recommended to mitigate this issue. |