Community
Participate
Working Groups
Created attachment 278927 [details] security advisory Dear Eclipse team, SEC Consult is a leading consulting company for information security. During a short security crash test we have found a high-level security vulnerability within Oracle Mojarra JSF v2.2 and v2.3. The vulnerability has been reported to Oracle and is currently being fixed. An incomplete fix has already been applied: • https://github.com/javaserverfaces/mojarra/commit/618b35db4d0d0b09a54a5857ba34490a6963c5ab • https://github.com/javaserverfaces/mojarra/commit/6b8f467ac96c862364dff97655a8e4cea4ad3ec8 We just made another request for a more secure fix. The Oracle security team told us to contact you to request a CVE ID since the issue affects the Open Source release. The security advisory with proof of concept information is attached. Could you assign a new CVE ID to this vulnerability? Best regards, Jean-Benjamin Rousseau Security Consultant -------------------------------------------------------------------- SEC Consult (Schweiz) AG Turbinenstrasse 28 | 8005 Zurich | Switzerland P +41 44 271 77 70 | M +41 79 109 53 22 j.rousseau@sec-consult.com SEC DEFENCE EMERGENCY-HOTLINE: +49 30 398 202 777 ADVISOR FOR YOUR INFORMATION SECURITY. --------------------------------------------------------------------- website | blog | twitter | xing | linkedin Commercial register number: CH-020.3.040.983-2 Sales tax identification number: CHE-464.929.107 Management: Florian Lukavsky
I can only issue CVEs against Eclipse products, and I need the project lead (or their delegate) to make the request. I've added the project lead in copy. Arjan, can you validate that this is a vulnerability in Eclipse Mojarra and that you want the Eclipse Foundation to create a CVE. If yes, then I need you to provide some information. There's help in the handbook. https://www.eclipse.org/projects/handbook/#vulnerability-cve Per our policy, I'm marking this as "committers-only" to prevent premature disclosure. We need to remove this flag before we can push the CVE (the timing of removing that flag up to that point is entirely at the discretion of the project).
For your information, the project team had already provided a first patch for this vulnerability. It can be found at: - https://github.com/javaserverfaces/mojarra/commit/618b35db4d0d0b09a54a5857ba34490a6963c5ab - https://github.com/javaserverfaces/mojarra/commit/6b8f467ac96c862364dff97655a8e4cea4ad3ec8 The patch is not sufficient and I requested them to apply a stronger restriction on the user inputs. We are still waiting for an answer and a fix before releasing the advisory. Would it be possible to have an answer regarding the attribution of the CVE ID before the end of July? Thanks.
Hello, A patch has also been applied to the following Git repository: https://github.com/eclipse-ee4j/mojarra/issues/4556 Can you update me regarding the assignment of the CVE ID? Thanks, Jean-Benjamin Rousseau
Hello, A merge request with the patch has been applied on the 17th of May: https://github.com/eclipse-ee4j/mojarra/pull/4567 The vulnerability has been fully fixed. Please, update me regarding the status of the CVE request. Best regards, Jean-Benjamin Rousseau
Hello, Any news on your side? Regards, Jean-Benjamin
Hi, this is the first time I get to see this bug and the CVE request. I'll study the requirements/handbook and will issue a request next week as soon as I get the change.
Hello, Thank you for your response. I checked for the patches applied to JSF. I found two: - https://github.com/javaserverfaces/mojarra/commit/618b35db4d0d0b09a54a5857ba34490a6963c5ab - https://github.com/eclipse-ee4j/mojarra/commit/8f70f2bd024f00ecd5b3dcca45df73edda29dcee From my perspective, none of those patches covers properly the vulnerability. Have you planned to review this security issue? An advisory is ready to be released on our side. However, we wait for a proper patch to be applied and for your CVE request to be issued. Thanks for your cooperation. Best Regards, Jean-Benjamin Rousseau
Hello, Any news on your side?
Reminder: project committers, I need you to engage. If you believe that a CVE should be created, follow the instructions in the handbook. https://www.eclipse.org/projects/handbook/#vulnerability-cve Per the security policy, we'll open this bug report for general access three months after the initial report (September 13/2019).
I've removed the Committer-only flag per the security policy.
Adding the Eclipse EE4J Security Team representative to the bug. Ajay, can you help the project team determine whether or not a CVE is warranted here and, if so, help them compose the information that we require to submit this to the central authority? There's help here: https://www.eclipse.org/projects/handbook/#vulnerability-cve
Arjan, I need a resolution here. Do we assign a CVE or not? If yes, I need some information from you. https://www.eclipse.org/projects/handbook/#vulnerability-cve
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/430.
