Oracle JavaServer Faces contains multiple vulnerabilities which could allow an attacker to obtain sensitive information.
Oracle JavaServer Faces contains multiple vulnerabilities which could allow an attacker to obtain sensitive information.
Alex Kouzemtchenko and Jon Passki of Coverity Security Research Labs vulnerability report states Oracle JavaServer Faces contains the following vulnerabilities:
* Partial Directory Traversal Via Resource Identifier ([CWE-22](<http://cwe.mitre.org/data/definitions/22.html>)): A defect exists that allows for directory traversal within the application. The directory traversal is limited in that it cannot be used to escape from the application and access arbitrary files on the application server. The following URL will access the WEB-INF/web.xml file assuming the JSF suffix of ".jsf" is used and ".xml" is not excluded:` ``<http://www.example.com/someApp/javax.faces.resource.../WEB-INF/web.xml.jsf>`
* Partial Directory Traversal Via Library Name ([CWE-22](<http://cwe.mitre.org/data/definitions/22.html>)). A defect exists that allows for directory traversal within the application. The directory traversal is limited in that it cannot be used to escape from the application and access arbitrary files on the application server. The following URL will access the ``WEB-INF/web.xml`` file assuming the JSF suffix of ".jsf" is used and ".xml" is not excluded: `<http://www.example.com/someApp/javax.faces.resource./WEB-INF/web.xml.jsf?ln=>.``.`
* Encryption Context Parameter Incorrectly Documented ([CWE-705](<http://cwe.mitre.org/data/definitions/705.html>)). The` ``[``documented][ClientStateSavingPassword]` mechanism to encrypt the ViewState parameter is to add the following JNDI environmental variable to web.xml:
<env-entry>
<env-entry-name>com.sun.faces.ClientStateSavingPassword</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>[SOME VALUE]</env-entry-value>
</env-entry>
During initialization, the ClientStateSavingPassword
enum member uses the WebEnvironmentEntry(String qualifiedName)
constructor, passing in the string âClientStateSavingPasswordâ. This results in a qualified name of java:comp/env/ClientStateSavingPassword
. Following the documentation results in a qualified name of java:comp/env/com.sun.faces.ClientStateSavingPassword
. The com.sun.faces.renderkit.ClientSideStateHelper.init()
checks for the ClientStateSavingPassword
web configuration value when determining if its guard
field ought to be initialized via com.sun.faces.renderkit.ByteArrayGuard
. If no match is found, encryption and decryption is not used on the ViewState parameter.
* ViewState HMAC Not Verified in Constant Time (CWE-367). When a proper ClientStateSavingPassword
is set for the application, the com.sun.faces.renderkit.ByteArrayGuard.decrypt(byte[])
method is eventually called to decipher the supplied value. An Hashed-Based Message Authentication Code (HMAC) is obtained from the decoded byte array, stored in the macBytes
variable. A new HMAC is generated on the supplied ciphertext and its value is stored in the macBytesCalculated
variable. These variables are then compared in a non-constant time fashion via the following:
if (Arrays.equals(macBytes, macBytesCalculated)) {
// continue only if the MAC was valid
// System.out.println(âValid MAC found!â);
byte[] plaindata = decryptCipher.doFinal(encdata);
return plaindata;
Arrays.equals has been show to have measurable timing delays when checking byte values. This may allow an attacker on a LAN to measure these delays, obtain a timing side channel, and subsequently generate an HMAC value that is valid for
a given ciphertext, bypassing the control.
A remote unauthenticated attacker may obtain sensitive information.
These vulnerabilities have been addressed in Oracle Critical Patch Update Advisory - October 2013. Affected users are advised to apply the recommended Critical Path updates listed in the Oracle Critical Patch Update Advisory - October 2013 for CVE-2013-3827.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from accessing JavaServer Faces using stolen credentials from a blocked network location.
526012
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 11, 2013 Updated: October 17, 2013
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 5 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Temporal | 4.1 | E:F/RL:OF/RC:C |
Environmental | 3.5 | CDP:L/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Alex Kouzemtchenko and Jon Passki of Coverity Security Research Labs for reporting this vulnerability.
This document was written by Michael Orlando.
CVE IDs: | CVE-2013-3827 |
---|---|
Date Public: | 2013-10-15 Date First Published: |
cwe.mitre.org/data/definitions/22.html
cwe.mitre.org/data/definitions/367.html
docs.oracle.com/javaee/6/api/javax/faces/webapp/FacesServlet.html
javaserverfaces.java.net/download.html
security.coverity.com/advisory/2013/Oct/two-path-traversal-defects-in-oracles-jsf2-implementation.html
www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html