Bug 598164 (CVE-2010-2086) - CVE-2010-2086 Apache MyFaces: XSS via state view
Summary: CVE-2010-2086 Apache MyFaces: XSS via state view
Status: CLOSED ERRATA
Alias: CVE-2010-2086
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: https://www.trustwave.com/spiderlabs/...
Whiteboard: impact=moderate,source=cve,reported=2...
Keywords: Reopened, Security
Depends On:
Blocks: 717649
TreeView+ depends on / blocked
 
Reported: 2010-05-31 16:03 UTC by Jan Lieskovsky
Modified: 2016-03-04 12:39 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
JBoss Enterprise Web Server 1.0.0 ships with Apache MyFaces 1.1.0. Apache MyFaces 1.1.0 does not support encrypted view state. When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. This allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object. JBoss Enterprise Web Server 1.0.1 and later does not ship with Apache MyFaces. Upgrading to JBoss Enterprise Web Server 1.0.1 or later is recommended to mitigate this issue.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-13 07:24:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-05-31 16:03:41 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2086 to
the following vulnerability:

Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application
Server and other applications, does not properly handle an unencrypted
view state, which allows remote attackers to conduct cross-site
scripting (XSS) attacks or execute arbitrary Expression Language (EL)
statements via vectors that involve modifying the serialized view
object.

References:
  [1] http://www.blackhat.com/presentations/bh-dc-10/Byrne_David/BlackHat-DC-2010-Byrne-SGUI-slides.pdf
  [2] https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt
  [3] http://myfaces.apache.org/

Comment 1 Vincent Danen 2011-04-21 17:51:02 UTC
I believe that encryption support was added in MyFaces 1.1.1, so earlier versions would not be affected by this flaw.  For instance, looking at MyFaces 1.1.0:

myfaces-1.1.0-src/share/src/java/org/apache/myfaces% grep -r -i encryption *

This yields nothing.  Yet in 1.1.4:

myfaces-core-1.1.4/source/org/apache/myfaces% grep -r -i encryption *
shared_impl/util/StateUtils.java: * <p>This Class exposes a handful of methods related to encryption,
...

Only StateUtils.java makes any mention of encryption.  So, like CVE-2010-2057, this shouldn't affect myfaces-1.1.0.

Can someone confirm please?

Comment 2 David Jorm 2011-06-23 04:32:10 UTC
From the trustwave advisory:

"When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL) [11] statements that will
be executed on the server. The EL statements can be used to
read data stored in user-scoped session variables, and
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them."

The problem is that we *don't* have encryption enabled for client-side viewstate. We should upgrade to myfaces >= 1.1.9.

Comment 3 David Jorm 2011-06-28 01:30:14 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
JBoss Enterprise Web Server 1.0.0 ships with Apache MyFaces 1.1.0. Apache MyFaces 1.1.0 does not support encrypted
view state. When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. This allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.

JBoss Enterprise Web Server 1.0.1 and later does not ship with Apache MyFaces. Upgrading to JBoss Enterprise Web Server 1.0.1 or later is recommended to mitigate this issue.


Note You need to log in before you can comment on or make changes to this bug.