[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16343942#comment-16343942 ] Thomas Andraschko commented on MYFACES-4133: [~stockli] Seems like HMAC is already used. If not, please create a new issue. * Visual > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Improvement > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli >Assignee: Thomas Andraschko >Priority: Major > Fix For: 2.3.0 > > Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch, > trunk-r1817658-r1817806.patch > > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16343870#comment-16343870 ] Thomas Andraschko commented on MYFACES-4133: Commited a modified version - without deleting the StateTokenProcessor but moving the instantation to the StateCache. Also i removed only the CounterKeyFactory but leaving e.g. IntIntSerializedViewKey which can be reused later. > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Improvement > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli >Assignee: Thomas Andraschko >Priority: Major > Fix For: 2.3.0 > > Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch, > trunk-r1817658-r1817806.patch > > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16298050#comment-16298050 ] Andy Gumbrecht commented on MYFACES-4133: - Hi All, I've not taken any liberty in the patches - The applied 2.3.x revisions are in the patch names. These have been submitted purely to resolve the remote code execution issue. We use MyFaces over at Apache TomEE - So I'm not wanting to tread on any toes here. I'd just like to get your judgement on how you feel about this and if and when a release on the 2.1.x would occur - We've users that would like to get that plugged, so we're thinking about cutting an internal early access release. Best regards, Andy. > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Improvement > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli >Assignee: Thomas Andraschko > Fix For: 2.3.0 > > Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch, > trunk-r1817658-r1817806.patch > > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16297259#comment-16297259 ] Thomas Andraschko commented on MYFACES-4133: the classes were removed because "sequence" MUST not be used anymore. The change itself is quite small and is attached here. > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Improvement > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli >Assignee: Thomas Andraschko > Fix For: 2.3.0 > > Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch, > trunk-r1817658-r1817806.patch > > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16135942#comment-16135942 ] Thomas Andraschko commented on MYFACES-4133: [~lu4242] I had a look at it but not sure. IMO the code in DefaultStateTokenProcessor should be moved to ServerSideStateCacheImpl/ServerSideStateCacheImpl. The impl can easily decide if StateUtils#construce or reconstruct needs to be called. The DefaultStateTokenProcessor is IMO a little bit to much of abstraction and could be better moved into *StateCacheImpl. Would be great if you could take care of this issue. You know this part very good. > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16134108#comment-16134108 ] Mike Kienenberger commented on MYFACES-4133: There are times when encryption is not necessary. Not every JSF app has to be secure. Also, I suspect that disabling encryption may make it easier to debug certain classes of problems. But the default should be encrypted. > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16133048#comment-16133048 ] Thomas Andraschko commented on MYFACES-4133: 1) makes sense 2) i think it's valid to disable encryption if server-side state is used 3) using a better default algorithm makes sense but this should be another jira issue > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16133041#comment-16133041 ] Peter Stöckli commented on MYFACES-4133: [~lu4242]: I propose following steps: # Don't serialize/deserialize ViewState-IDs # If you say the ViewState encryption should never be disabled then don't allow the ViewState to be disabled! Remove the param {org.apache.myfaces.USE_ENCRYPTION} or better: throw an exception at start up if that param is set to false with a message like: "You must not disable ViewState encryption/auth! Assume all systems that had ViewState encryption disabled to be breached!" # Upgrade the default encryption and HMAC algorithms. > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16128817#comment-16128817 ] Leonardo Uribe commented on MYFACES-4133: - Encryption should NEVER be disabled for view state token, because there is no safe way to make it work with this disabled, but beyond that, I agree serialize the session id is not necessary on server side state saving. Please note encryption also adds a Message Authentication Code (MAC) that protects the view state token against tampering and other attacks, but this works together with the encryption. It's more, maybe it is a good idea to change the default encryption algorithm to AES or something. > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[ https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16128488#comment-16128488 ] Thomas Andraschko commented on MYFACES-4133: I see - now i understand your problem (also renamed the title). [~lu4242] WDYT about this one? Why do we serialize the id? It's really not required. > Don't deserialize the ViewState-ID if the state saving method is server > --- > > Key: MYFACES-4133 > URL: https://issues.apache.org/jira/browse/MYFACES-4133 > Project: MyFaces Core > Issue Type: Bug > Components: General >Affects Versions: 2.2.12 >Reporter: Peter Stöckli > > Currently the ViewState-ID provided by the user is deserialized via Java > deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to > {{server}} (the default). > The deserialization in this case is unecessary and most likely even slower > than just sending the ViewState Id directly. > If a developer now disables the ViewState encryption by setting > {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces > security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he > might have unintentionally introduced a dangerous remote code execution (RCE) > vulnerability as described > [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html]. > This has been discussed before on [Issue > MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)