[
https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15533270#comment-15533270
]
Brian Martin commented on TRINIDAD-2542:
----------------------------------------
Generally, deserialization attacks lead to remote code execution or file
manipulation. The oss-sec post for this issue [1] says "deserialization
security vulnerability" in the subject (and title here), but then calls it
"information disclosure vulnerability" below. Can you confirm the impact of
this vulnerability? Thanks!
[1] http://seclists.org/oss-sec/2016/q3/667
> CVE-2016-5019: MyFaces Trinidad view state deserialization security
> vulnerability
> ---------------------------------------------------------------------------------
>
> Key: TRINIDAD-2542
> URL: https://issues.apache.org/jira/browse/TRINIDAD-2542
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core
> Reporter: Mike Kienenberger
> Assignee: Leonardo Uribe
> Priority: Critical
> Fix For: 1.2.15-core , 2.0.2-core, 2.1.2-core
>
>
> Trinidad’s CoreResponseStateManager both reads and writes view state strings
> using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad
> bypasses the view state security features provided by the JSF implementations
> - ie. the view state is not encrypted and is not MAC’ed.
> Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view
> state strings, which makes Trinidad-based applications vulnerable to
> deserialization attacks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
