Bug 1479661 - jsf-impl: JSF client side view state saving deserializes data
Summary: jsf-impl: JSF client side view state saving deserializes data
Status: NEW
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20170809,repor...
Keywords: Reopened, Security
Depends On:
Blocks: 1479444
TreeView+ depends on / blocked
 
Reported: 2017-08-09 05:23 UTC by Jason Shepherd
Modified: 2018-11-09 22:33 UTC (History)
39 users (show)

Fixed In Version: 2.1.29-08
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-09 05:46:27 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jason Shepherd 2017-08-09 05:23:11 UTC
When client-side view state saving is used with Java Server Faces prior to version 2.1.29-08, a serialzied representation of the view state is posted to the server. If an attacker can post content and a serialization gadget is available on the server side classpath, an attacker could use this flaw to execute code remotely (RCE).

Comment 1 Jason Shepherd 2017-08-09 05:23:38 UTC
Acknowledgments:

Name: Peter Stöckli (Alphabot Security Switzerland)

Comment 2 Jason Shepherd 2017-08-09 05:42:03 UTC
Mitigation:

A vulnerable web application needs to have set javax.faces.STATE_SAVING_METHOD to 'client' to enable client-side view state saving. The default value on Enterprise Application Platform (EAP) 6.4.x is 'server'.

If javax.faces.STATE_SAVING_METHOD is set to 'client' a mitigation for this issue is to encrypt the view by setting com.sun.faces.ClientStateSavingPassword in the application web.xml:

  <context-param>
    <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
    <param-value>client</param-value>
  </context-param>

 <env­-entry> 
    <env­-entry-­name>com.sun.faces.ClientStateSavingPassword</env­-entry-­name> 
    <env-­entry-­type>java.lang.String</env-­entry-­type> 
    <env-­entry-­value>[some secret password]</env-­entry-value>
 </env­-entry>

Reference: https://access.redhat.com/solutions/2049883

Comment 3 Jason Shepherd 2017-08-09 05:43:58 UTC
JBoss Operations Network (JON) 3.3.x uses JSF for the rhq-portal web application, however the javax.faces.STATE_SAVING_METHOD is set to 'server', so it's not affected.

Comment 4 Jason Shepherd 2017-08-09 05:46:27 UTC
Because the default value for javax.faces.STATE_SAVING_METHOD is 'server' on EAP 6.4.x, we won't fix this issue in that version.

Comment 5 Jason Shepherd 2017-08-09 22:31:19 UTC
Statement:

This issue affects JSF as implemented by the Mojarra project. The Java archive name when packaged in JBoss EAP is jsf-impl.jar


Note You need to log in before you can comment on or make changes to this bug.