Apache MyFaces Trinidad versions 1.0.0 to 1.0.13, 1.2.1 to 1.2.14, 2.0.0 to 2.0.1, and 2.1.0 to 2.1.1 suffer from an information disclosure vulnerability.
d52ae0b80ff5e5d1cc0efc513c971067776f22f749a120d81c7b142b8af4aa14
Clarification: The first line in this CVE [1] was a copy&paste error
during message composition and is not part of the CVE. This line can
make it sound as if CVE-2016-5019 is only an information disclosure
vulnerability rather than a deserialization attack vector. I
apologize for the confusion.
--- Original Advisory ---
CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Trinidad from 1.0.0 to 1.0.13
Trinidad from 1.2.1 to 1.2.14
Trinidad from 2.0.0 to 2.0.1
Trinidad from 2.1.0 to 2.1.1
Description:
Trinidadas CoreResponseStateManager both reads and writes view state strings using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad bypasses the view state security features provided by the JSF implementations - ie. the view state is not encrypted and is not MACaed.
Trinidadas CoreResponseStateManager will blindly deserialize untrusted view state strings, which makes Trinidad-based applications vulnerable to deserialization attacks.
Mitigation:
All users of Apache Trinidad should upgrade to either 2.1.2, 2.0.2, or 1.2.15 and enable view state encryption using org.apache.myfaces.USE_ENCRYPTION and related web configuration parameters.
See http://wiki.apache.org/myfaces/Secure_Your_Application for details.
Upgrading all Commons Collections jars on the class path to 3.2.2/4.1 will prevent certain well-known vectors of attack, but will not entirely resolve this issue.
References:
https://issues.apache.org/jira/browse/TRINIDAD-2542
This issue was discovered by Teemu KA$?A$?riA$?inen and reported by Andy Schwartz