When client-side view state saving is used with Java Server Faces prior to version 2.1.29-08, a serialzied representation of the view state is posted to the server. If an attacker can post content and a serialization gadget is available on the server side classpath, an attacker could use this flaw to execute code remotely (RCE).
Name: Peter Stöckli (Alphabot Security Switzerland)
A vulnerable web application needs to have set javax.faces.STATE_SAVING_METHOD to 'client' to enable client-side view state saving. The default value on Enterprise Application Platform (EAP) 6.4.x is 'server'.
If javax.faces.STATE_SAVING_METHOD is set to 'client' a mitigation for this issue is to encrypt the view by setting com.sun.faces.ClientStateSavingPassword in the application web.xml:
<env-entry-value>[some secret password]</env-entry-value>
JBoss Operations Network (JON) 3.3.x uses JSF for the rhq-portal web application, however the javax.faces.STATE_SAVING_METHOD is set to 'server', so it's not affected.
Because the default value for javax.faces.STATE_SAVING_METHOD is 'server' on EAP 6.4.x, we won't fix this issue in that version.
This issue affects JSF as implemented by the Mojarra project. The Java archive name when packaged in JBoss EAP is jsf-impl.jar