[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16343942#comment-16343942
]
Thomas Andraschko commented on MYFACES-4133:
[~stockli] Seems like HMAC is already used. If not, please create a new issue.
* Visual
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Improvement
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>Assignee: Thomas Andraschko
>Priority: Major
> Fix For: 2.3.0
>
> Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch,
> trunk-r1817658-r1817806.patch
>
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16343870#comment-16343870
]
Thomas Andraschko commented on MYFACES-4133:
Commited a modified version - without deleting the StateTokenProcessor but
moving the instantation to the StateCache.
Also i removed only the CounterKeyFactory but leaving e.g.
IntIntSerializedViewKey which can be reused later.
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Improvement
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>Assignee: Thomas Andraschko
>Priority: Major
> Fix For: 2.3.0
>
> Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch,
> trunk-r1817658-r1817806.patch
>
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16298050#comment-16298050
]
Andy Gumbrecht commented on MYFACES-4133:
-
Hi All, I've not taken any liberty in the patches - The applied 2.3.x revisions
are in the patch names. These have been submitted purely to resolve the remote
code execution issue.
We use MyFaces over at Apache TomEE - So I'm not wanting to tread on any toes
here.
I'd just like to get your judgement on how you feel about this and if and when
a release on the 2.1.x would occur - We've users that would like to get that
plugged, so we're thinking about cutting an internal early access release.
Best regards, Andy.
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Improvement
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>Assignee: Thomas Andraschko
> Fix For: 2.3.0
>
> Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch,
> trunk-r1817658-r1817806.patch
>
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16297259#comment-16297259
]
Thomas Andraschko commented on MYFACES-4133:
the classes were removed because "sequence" MUST not be used anymore. The
change itself is quite small and is attached here.
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Improvement
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>Assignee: Thomas Andraschko
> Fix For: 2.3.0
>
> Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch,
> trunk-r1817658-r1817806.patch
>
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16135942#comment-16135942
]
Thomas Andraschko commented on MYFACES-4133:
[~lu4242] I had a look at it but not sure. IMO the code in
DefaultStateTokenProcessor should be moved to
ServerSideStateCacheImpl/ServerSideStateCacheImpl. The impl can easily decide
if StateUtils#construce or reconstruct needs to be called. The
DefaultStateTokenProcessor is IMO a little bit to much of abstraction and could
be better moved into *StateCacheImpl.
Would be great if you could take care of this issue. You know this part very
good.
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16134108#comment-16134108
]
Mike Kienenberger commented on MYFACES-4133:
There are times when encryption is not necessary. Not every JSF app has to be
secure.
Also, I suspect that disabling encryption may make it easier to debug certain
classes of problems.
But the default should be encrypted.
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16133048#comment-16133048
]
Thomas Andraschko commented on MYFACES-4133:
1) makes sense
2) i think it's valid to disable encryption if server-side state is used
3) using a better default algorithm makes sense but this should be another jira
issue
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16133041#comment-16133041
]
Peter Stöckli commented on MYFACES-4133:
[~lu4242]:
I propose following steps:
# Don't serialize/deserialize ViewState-IDs
# If you say the ViewState encryption should never be disabled then don't allow
the ViewState to be disabled! Remove the param
{org.apache.myfaces.USE_ENCRYPTION} or better: throw an exception at start up
if that param is set to false with a message like: "You must not disable
ViewState encryption/auth! Assume all systems that had ViewState encryption
disabled to be breached!"
# Upgrade the default encryption and HMAC algorithms.
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16128817#comment-16128817
]
Leonardo Uribe commented on MYFACES-4133:
-
Encryption should NEVER be disabled for view state token, because there is no
safe way to make it work with this disabled, but beyond that, I agree serialize
the session id is not necessary on server side state saving.
Please note encryption also adds a Message Authentication Code (MAC) that
protects the view state token against tampering and other attacks, but this
works together with the encryption.
It's more, maybe it is a good idea to change the default encryption algorithm
to AES or something.
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server
[
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16128488#comment-16128488
]
Thomas Andraschko commented on MYFACES-4133:
I see - now i understand your problem (also renamed the title).
[~lu4242] WDYT about this one? Why do we serialize the id? It's really not
required.
> Don't deserialize the ViewState-ID if the state saving method is server
> ---
>
> Key: MYFACES-4133
> URL: https://issues.apache.org/jira/browse/MYFACES-4133
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
>Affects Versions: 2.2.12
>Reporter: Peter Stöckli
>
> Currently the ViewState-ID provided by the user is deserialized via Java
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he
> might have unintentionally introduced a dangerous remote code execution (RCE)
> vulnerability as described
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
