-
Notifications
You must be signed in to change notification settings - Fork 754
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2017-1000486: Potential EL Injection #1152
Comments
Thank you, do you have any suggestion for a fix? |
Fixed via 26e44eb Please review and reopen if necessary. |
I'll check better tomorrow with our team, but the fix seems to be good |
Here is a refactor; We keep a internal map at session now, this map holds the key-expression values. Keys are sent at at url and StreamedContentHandler gets the key to evaluate it. After it this map is cleared. Keys are encrypted uuids so there is still same encryption but expressions are not exposed at url directly now. I'd appreciate your review. |
This fix is a good fix, however since you are using UUID.randomUUID().toString() you don't need to encrypt the reference. You could pass the reference to the parameter as it is without encrypting it. |
Awesome, thank you for the feedback. We'll do patch releases now. |
Great to see something like this fixed. Unfortunately only after public exposure... Bad publicity evidently works to get things done ;-) Patch release of all 5.x community versions too? Otherwise exposure is still to big. Or just a small update jar? |
does this vulnerability also affect primefaces 4.0? @cagataycivici |
Probably, but not sure. You have to check the sources. |
@tandraschko primefaces 4.0 has a different way of handling this kind of request. primefaces 4.0 has no StreamedContentHandler.java and DynamicResourceBuilder.java. But primefaces 4.0 has PrimeResourceHandler.java that is similar to StreamedContentHandler.java. Can I safely assume that primefaces 4.0 has no of this issue? |
Nope sry, it has the same problem. |
@tandraschko oh my... so is it sufficient if I just modify the PrimeResourceHandler.java just like StreamedContentHandler.java? What is the replacement of DynamicResourceBuilder.java in pf 4.0? |
Don't have time to help you here. The DynamicResourceBuilder logic was was in each Renderer (GraphicImage, Media and another one). I would just upgrade, we fixed also some XSS and many other bugs in the last years. |
@tandraschko i don't have time and resources to upgrade :) even though i want to upgrade. i think i will also look into each Renderer as you mentioned. thank you very much. |
I just got CVE-2017-1000486 assigned for this issue via iwantacve.org. This will soon be published on cve.mitre.org and cvedetails.com to help people filter out vulnerable versions. |
It looks like Bitcoin Miners have found a way to exploit this bug so I highly recommend everyone upgrade to a newer patched version. https://forum.primefaces.org/viewtopic.php?f=3&t=53750 |
PF creating a 5.2-SR and 5.3-SR (Securit Release) would be a real, real good gesture... See my comment almost 2 years ago: #1152 (comment) |
Temporary fix in apache config (/etc/apache2/sites-available/-ssl) by blocking (deny access) the exploit xhtml page: WARNING: if your page uses a functionality from 'dynamiccontent', it won't work anymore |
I'm dealing with the same miner script |
I wrote an article how this vulnerability can be fixed for projects, when an update is not an option. The example is for PrimeFaces 4. |
Added CVE-2017-1000486 so future seekers can find this ticket. |
Hi there, |
Yes 5.1 is vulnerable I would move to 6.0 or higher immediately. Bitcoin miner malware was exploiting this defect. |
Please how do I get version 4.0.25? |
@esternocleidomastoideo you'll need ELITE, see https://www.primefaces.org/showcase/support.xhtml |
Hello guys. |
@esternocleidomastoideo i would send an email to mailto:contact@primetek.com.tr |
I don't understand how such an old update is not available for download until today. |
@esternocleidomastoideo I understand your frustration. But shouldn't you be asking yourself why you want a patch to a 6 year old JAR for 1 security fix when there have been over 100 other security fixes in the years since. https://github.com/primefaces/primefaces/issues?q=label%3A%22%3Alock%3A+security%22+is%3Aclosed Shouldn't you be looking to upgrade your software and close "more holes" than focused on this 1 security issue in a 6 year old version? Just my two cents.... |
not talking about other libs and application servers... ;) |
Simple: it is no longer worth investing in this system and we have to comply with a company directive until it is replaced. |
Understood. Just wanted to make sure you knew you were plugging one hole while the dam is still leaking all around you. |
the system has an expiration date but we really need to live up to the norm until it's gone forever. |
You can always overload the affected classes and patch them manually. |
As already shared privately last year "/org/primefaces/application/resource/StreamedContentHandler.java" is to vulnerable to remote exploitable code execution through EL Injection
You can find more information here:
http://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html
The text was updated successfully, but these errors were encountered: