Bug 1479661 - jsf-impl: JSF client side view state saving deserializes data
jsf-impl: JSF client side view state saving deserializes data
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Reopened, Security
Depends On:
Blocks: 1479444
  Show dependency treegraph
Reported: 2017-08-09 01:23 EDT by Jason Shepherd
Modified: 2017-12-07 19:01 EST (History)
43 users (show)

See Also:
Fixed In Version: 2.1.29-08
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-08-09 01:46:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jason Shepherd 2017-08-09 01:23:11 EDT
When client-side view state saving is used with Java Server Faces prior to version 2.1.29-08, a serialzied representation of the view state is posted to the server. If an attacker can post content and a serialization gadget is available on the server side classpath, an attacker could use this flaw to execute code remotely (RCE).
Comment 1 Jason Shepherd 2017-08-09 01:23:38 EDT

Name: Peter Stöckli (Alphabot Security Switzerland)
Comment 2 Jason Shepherd 2017-08-09 01:42:03 EDT

A vulnerable web application needs to have set javax.faces.STATE_SAVING_METHOD to 'client' to enable client-side view state saving. The default value on Enterprise Application Platform (EAP) 6.4.x is 'server'.

If javax.faces.STATE_SAVING_METHOD is set to 'client' a mitigation for this issue is to encrypt the view by setting com.sun.faces.ClientStateSavingPassword in the application web.xml:


    <env-­entry-­value>[some secret password]</env-­entry-value>

Reference: https://access.redhat.com/solutions/2049883
Comment 3 Jason Shepherd 2017-08-09 01:43:58 EDT
JBoss Operations Network (JON) 3.3.x uses JSF for the rhq-portal web application, however the javax.faces.STATE_SAVING_METHOD is set to 'server', so it's not affected.
Comment 4 Jason Shepherd 2017-08-09 01:46:27 EDT
Because the default value for javax.faces.STATE_SAVING_METHOD is 'server' on EAP 6.4.x, we won't fix this issue in that version.
Comment 5 Jason Shepherd 2017-08-09 18:31:19 EDT

This issue affects JSF as implemented by the Mojarra project. The Java archive name when packaged in JBoss EAP is jsf-impl.jar

Note You need to log in before you can comment on or make changes to this bug.