This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1479661 - jsf-impl: JSF client side view state saving deserializes data
jsf-impl: JSF client side view state saving deserializes data
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170809,repor...
: Reopened, Security
Depends On:
Blocks: 1479444
  Show dependency treegraph
 
Reported: 2017-08-09 01:23 EDT by Jason Shepherd
Modified: 2017-08-17 17:44 EDT (History)
44 users (show)

See Also:
Fixed In Version: 2.1.29-08
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-09 01:46:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Shepherd 2017-08-09 01:23:11 EDT
When client-side view state saving is used with Java Server Faces prior to version 2.1.29-08, a serialzied representation of the view state is posted to the server. If an attacker can post content and a serialization gadget is available on the server side classpath, an attacker could use this flaw to execute code remotely (RCE).
Comment 1 Jason Shepherd 2017-08-09 01:23:38 EDT
Acknowledgments:

Name: Peter Stöckli (Alphabot Security Switzerland)
Comment 2 Jason Shepherd 2017-08-09 01:42:03 EDT
Mitigation:

A vulnerable web application needs to have set javax.faces.STATE_SAVING_METHOD to 'client' to enable client-side view state saving. The default value on Enterprise Application Platform (EAP) 6.4.x is 'server'.

If javax.faces.STATE_SAVING_METHOD is set to 'client' a mitigation for this issue is to encrypt the view by setting com.sun.faces.ClientStateSavingPassword in the application web.xml:

  <context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
  </context-param>

 <env­-entry> 
    <env­-entry-­name>com.sun.faces.ClientStateSavingPassword</env­-entry-­name> 
    <env-­entry-­type>java.lang.String</env-­entry-­type> 
    <env-­entry-­value>[some secret password]</env-­entry-value>
 </env­-entry>

Reference: https://access.redhat.com/solutions/2049883
Comment 3 Jason Shepherd 2017-08-09 01:43:58 EDT
JBoss Operations Network (JON) 3.3.x uses JSF for the rhq-portal web application, however the javax.faces.STATE_SAVING_METHOD is set to 'server', so it's not affected.
Comment 4 Jason Shepherd 2017-08-09 01:46:27 EDT
Because the default value for javax.faces.STATE_SAVING_METHOD is 'server' on EAP 6.4.x, we won't fix this issue in that version.
Comment 5 Jason Shepherd 2017-08-09 18:31:19 EDT
Statement:

This issue affects JSF as implemented by the Mojarra project. The Java archive name when packaged in JBoss EAP is jsf-impl.jar

Note You need to log in before you can comment on or make changes to this bug.