[jira] [Commented] (MYFACES-4133) Don't deserialize the ViewState-ID if the state saving method is server

Wed, 20 Dec 2017 00:17:17 -0800 

    [ 
https://issues.apache.org/jira/browse/MYFACES-4133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16298050#comment-16298050
 ] 

Andy Gumbrecht commented on MYFACES-4133:
-----------------------------------------

Hi All, I've not taken any liberty in the patches - The applied 2.3.x revisions 
are in the patch names. These have been submitted purely to resolve the remote 
code execution issue.
We use MyFaces over at Apache TomEE - So I'm not wanting to tread on any toes 
here.
I'd just like to get your judgement on how you feel about this and if and when 
a release on the 2.1.x would occur - We've users that would like to get that 
plugged, so we're thinking about cutting an internal early access release.
Best regards, Andy.

> Don't deserialize the ViewState-ID if the state saving method is server
> -----------------------------------------------------------------------
>
>                 Key: MYFACES-4133
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4133
>             Project: MyFaces Core
>          Issue Type: Improvement
>          Components: General
>    Affects Versions: 2.2.12
>            Reporter: Peter Stöckli
>            Assignee: Thomas Andraschko
>             Fix For: 2.3.0
>
>         Attachments: 2.1.x-r1817658-r1817712.patch, MYFACES-4133.patch, 
> trunk-r1817658-r1817806.patch
>
>
> Currently the ViewState-ID provided by the user is deserialized via Java 
> deserialization even when the {{javax.faces.STATE_SAVING_METHOD}} is set to 
> {{server}} (the default).
> The deserialization in this case is unecessary and most likely even slower 
> than just sending the ViewState Id directly.
> If a developer now disables the ViewState encryption by setting 
> {{org.apache.myfaces.USE_ENCRYPTION}} to {{false}} (against the [MyFaces 
> security advice|https://wiki.apache.org/myfaces/Secure_Your_Application]) he 
> might have unintentionally introduced a dangerous remote code execution (RCE) 
> vulnerability as described 
> [here|https://www.alphabot.com/security/blog/2017/java/Misconfigured-JSF-ViewStates-can-lead-to-severe-RCE-vulnerabilities.html].
> This has been discussed before on [Issue 
> MYFACES-4021|https://issues.apache.org/jira/browse/MYFACES-4021].



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to