Red Hat Bugzilla – Bug 598164
CVE-2010-2086 Apache MyFaces: XSS via state view
Last modified: 2016-03-04 07:39:34 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2086 to
the following vulnerability:
Apache MyFaces 1.1.7 and 1.2.8, as used in IBM WebSphere Application
Server and other applications, does not properly handle an unencrypted
view state, which allows remote attackers to conduct cross-site
scripting (XSS) attacks or execute arbitrary Expression Language (EL)
statements via vectors that involve modifying the serialized view
I believe that encryption support was added in MyFaces 1.1.1, so earlier versions would not be affected by this flaw. For instance, looking at MyFaces 1.1.0:
myfaces-1.1.0-src/share/src/java/org/apache/myfaces% grep -r -i encryption *
This yields nothing. Yet in 1.1.4:
myfaces-core-1.1.4/source/org/apache/myfaces% grep -r -i encryption *
shared_impl/util/StateUtils.java: * <p>This Class exposes a handful of methods related to encryption,
Only StateUtils.java makes any mention of encryption. So, like CVE-2010-2057, this shouldn't affect myfaces-1.1.0.
Can someone confirm please?
From the trustwave advisory:
"When the application's view state is not encrypted, it is
possible for an attacker to supply a new or modified view
object as part of a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site Scripting), and
arbitrary Expression Language (EL)  statements that will
be executed on the server. The EL statements can be used to
read data stored in user-scoped session variables, and
application or server-scoped variables. Since these
variables should be inaccessible by the user, it is not
uncommon to store sensitive data in them."
The problem is that we *don't* have encryption enabled for client-side viewstate. We should upgrade to myfaces >= 1.1.9.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
JBoss Enterprise Web Server 1.0.0 ships with Apache MyFaces 1.1.0. Apache MyFaces 1.1.0 does not support encrypted
view state. When the application's view state is not encrypted, it is possible for an attacker to supply a new or modified view object as part of a request. This allows remote attackers to conduct cross-site scripting (XSS) attacks or execute arbitrary Expression Language (EL) statements via vectors that involve modifying the serialized view object.
JBoss Enterprise Web Server 1.0.1 and later does not ship with Apache MyFaces. Upgrading to JBoss Enterprise Web Server 1.0.1 or later is recommended to mitigate this issue.