Details
-
Type:
Task
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-4.3.0.GA_P01
-
Fix Version/s: EE-4.3.0.GA_P02
-
Component/s: Framework, Sample Apps
-
Labels:None
-
Environment:external jars, security
-
Support Case References:Support Case 14503:- https://icesoft.my.salesforce.com/5000g000027qZtm
-
Workaround Description:Mojarra does not seem to serialize the view state token for server side state saving
Description
A security scan has shown issues with up to the the myfaces 2.2.12 version. see
https://issues.apache.org/jira/browse/MYFACES-4133
this has been resolved in myfaces - 2.3.0, so that version of the jar should be tested/included in next release.
other jars that have security scans may be used in our samples and should also be updated if possible:-
commons-beanutils : commons-beanutils : 1.9.2 Open or 1.9.3
dom4j : 1.6.1 Open
javax.servlet : jstl : 1.2 Open
org.apache.poi : poi : 3.9 Open
org.glassfish : javax.faces : 2.3.5 Open --scan states The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
Explanation v 2.3.4 and 2.3.5 are only versions that are vulnerable, so stay away from these 2 versions of mojarra.
https://issues.apache.org/jira/browse/MYFACES-4133
this has been resolved in myfaces - 2.3.0, so that version of the jar should be tested/included in next release.
other jars that have security scans may be used in our samples and should also be updated if possible:-
commons-beanutils : commons-beanutils : 1.9.2 Open or 1.9.3
dom4j : 1.6.1 Open
javax.servlet : jstl : 1.2 Open
org.apache.poi : poi : 3.9 Open
org.glassfish : javax.faces : 2.3.5 Open --scan states The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications.
Explanation v 2.3.4 and 2.3.5 are only versions that are vulnerable, so stay away from these 2 versions of mojarra.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
| Field | Original Value | New Value |
|---|---|---|
| Affects Version/s | EE-4.3.0.GA_P01 [ 13280 ] | |
| Affects Version/s | EE-4.3.0.GA_P02 [ 13292 ] |
| Fix Version/s | EE-4.3.0.GA_P02 [ 13292 ] |
| Assignee | Ken Fyten [ ken.fyten ] |
| Assignee | Ken Fyten [ ken.fyten ] | Arturo Zambrano [ artzambrano ] |
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Summary | update Myfaces library due to issue with security scan, do not use Mojarra 2.3.4 or 2.3.5 | Update 3rd Party Libraries |
| Resolution | Fixed [ 1 ] | |
| Status | Resolved [ 5 ] | Reopened [ 4 ] |
| Status | Reopened [ 4 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Issue Type | Bug [ 1 ] | Task [ 3 ] |
| Status | Resolved [ 5 ] | Closed [ 6 ] |