Repository: wicket-site Updated Branches: refs/heads/asf-site 43935ae59 -> c202a1f61
Announcing CVE-2016-6793: Apache Wicket deserialization vulnerability Project: http://git-wip-us.apache.org/repos/asf/wicket-site/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket-site/commit/c202a1f6 Tree: http://git-wip-us.apache.org/repos/asf/wicket-site/tree/c202a1f6 Diff: http://git-wip-us.apache.org/repos/asf/wicket-site/diff/c202a1f6 Branch: refs/heads/asf-site Commit: c202a1f616f460643bf82441480946e3f689f884 Parents: 43935ae Author: Pedro Henrique Oliveira dos Santos <[email protected]> Authored: Sat Dec 31 06:47:08 2016 +0000 Committer: Pedro Henrique Oliveira dos Santos <[email protected]> Committed: Sat Dec 31 06:47:08 2016 +0000 ---------------------------------------------------------------------- 2016/_posts/2016-12-31-cve-2016-6793.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket-site/blob/c202a1f6/2016/_posts/2016-12-31-cve-2016-6793.md ---------------------------------------------------------------------- diff --git a/2016/_posts/2016-12-31-cve-2016-6793.md b/2016/_posts/2016-12-31-cve-2016-6793.md new file mode 100644 index 0000000..15a63f9 --- /dev/null +++ b/2016/_posts/2016-12-31-cve-2016-6793.md @@ -0,0 +1,24 @@ +--- +layout: post +title: CVE-2016-6793 Apache Wicket deserialization vulnerability +--- + +*Severity*: Low + +*Vendor*: The Apache Software Foundation + +*Versions Affected*: Apache Wicket 6.x and 1.5.x + +*Description*: Depending on the ISerializer set in the Wicket application, +it's possible that a Wicket's object deserialized from an untrusted source +and utilized by the application to causes the code to enter in an infinite +loop. Specifically, Wicket's DiskFileItem class, serialized by Kryo, allows +an attacker to hack its serialized form to put a client on an infinite loop +if the client attempts to write on the DeferredFileOutputStream attribute. + +*Mitigation*: Upgrade to Apache Wicket 6.25.0 or 1.5.17 + +*Credit*: This issue was discovered +by Jacob Baines, Tenable Network Security and Pedro Santos + +References: https://wicket.apache.org/news
