Vulnerabilities > CVE-2016-5019 - Deserialization of Untrusted Data vulnerability in Apache Myfaces Trinidad

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
CWE-502
critical
nessus

Summary

CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCGI abuses
    NASL idORACLE_PRIMAVERA_P6_EPPM_CPU_JUL_2017.NASL
    descriptionAccording to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 8.3.x prior to 8.3.15.4, 8.4.x prior to 8.4.15.2, 15.x prior to 15.2.15.1, or 16.x prior to 16.2.9.0. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the Web Access component, specifically in Apache MyFaces Trinidad in CoreResponseStateManager, due to using ObjectInputStream and ObjectOutputStream strings directly without securely deserializing Java input. An unauthenticated, remote attacker can exploit this, via a crafted serialized view state string, to execute arbitrary code. (CVE-2016-5019) - Multiple unspecified flaws exist in the Web Access component that allow an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10038, CVE-2017-10160) - An unspecified flaw exists in the Web Access component that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-10046) - An unspecified flaw exists in the Web Access component that allows an authenticated, remote attacker to impact confidentiality, integrity, and availability. (CVE-2017-10131) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id101900
    published2017-07-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101900
    titleOracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (July 2017 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101900);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/12");
    
      script_cve_id(
        "CVE-2016-5019",
        "CVE-2017-10038",
        "CVE-2017-10046",
        "CVE-2017-10131",
        "CVE-2017-10160"
      );
      script_bugtraq_id(
        93236,
        99751,
        99757,
        99770,
        99793
      );
    
      script_name(english:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (July 2017 CPU)");
      script_summary(english:"Checks the version of Oracle Primavera P6 EPPM.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application running on the remote web server is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the Oracle Primavera
    P6 Enterprise Project Portfolio Management (EPPM) installation running
    on the remote web server is 8.3.x prior to 8.3.15.4, 8.4.x prior to
    8.4.15.2, 15.x prior to 15.2.15.1, or 16.x prior to 16.2.9.0. It is,
    therefore, affected by the following vulnerabilities :
    
      - A flaw exists in the Web Access component, specifically
        in Apache MyFaces Trinidad in CoreResponseStateManager,
        due to using ObjectInputStream and ObjectOutputStream
        strings directly without securely deserializing Java
        input. An unauthenticated, remote attacker can exploit
        this, via a crafted serialized view state string, to
        execute arbitrary code. (CVE-2016-5019)
    
      - Multiple unspecified flaws exist in the Web Access
        component that allow an authenticated, remote attacker
        to disclose sensitive information. (CVE-2017-10038,
        CVE-2017-10160)
    
      - An unspecified flaw exists in the Web Access component
        that allows an authenticated, remote attacker to
        impact confidentiality and integrity. (CVE-2017-10046)
    
      - An unspecified flaw exists in the Web Access component
        that allows an authenticated, remote attacker to
        impact confidentiality, integrity, and availability.
        (CVE-2017-10131)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76f5def7");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Oracle Primavera P6 Enterprise Project Portfolio Management
    (EPPM) version 8.3.15.4 / 8.4.15.2 / 15.2.15.1 / 16.2.9.0 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/21");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_p6_eppm");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_primavera_p6_eppm.nbin");
      script_require_keys("installed_sw/Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", "www/weblogic");
      script_require_ports("Services/www", 8004);
    
      exit(0);
    }
    
    include("http.inc");
    include("vcf.inc");
    
    get_install_count(app_name:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", exit_if_zero:TRUE);
    
    port = get_http_port(default:8004);
    get_kb_item_or_exit("www/weblogic/" + port + "/installed");
    
    app_info = vcf::get_app_info(app:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", port:port);
    
    vcf::check_granularity(app_info:app_info, sig_segments:3);
    
    constraints = [
      { "min_version" : "8.3.0.0", "max_version" : "8.3.15.4", "fixed_version" : "8.3.15.4" },
      { "min_version" : "8.4.0.0", "max_version" : "8.4.15.2", "fixed_version" : "8.4.15.2" },
      { "min_version" : "15.0.0.0", "max_version" : "15.2.15.1", "fixed_version" : "15.2.15.1" },
      { "min_version" : "16.0.0.0", "max_version" : "16.2.9.0", "fixed_version" : "16.2.9.0" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE); 
    
    
  • NASL familyMisc.
    NASL idORACLE_JDEVELOPER_CPU_JULY_2016.NASL
    descriptionThe version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by multiple remote code execution vulnerabilities : - A remote code execution vulnerability exists in the Application Development Framework (ADF) Faces subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3504) - A remote code execution vulnerability exists in the Apache MyFaces Trinidad component in the CoreResponseStateManager subcomponent due to improper validation of the ObjectInputStream and ObjectOutputStream strings prior to deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5019)
    last seen2020-06-01
    modified2020-06-02
    plugin id93592
    published2016-09-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93592
    titleOracle JDeveloper Multiple RCE (July 2016 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93592);
      script_version("1.12");
      script_cvs_date("Date: 2019/02/07 10:19:52");
    
      script_cve_id("CVE-2016-3504", "CVE-2016-5019");
      script_bugtraq_id(92023, 93236);
    
      script_name(english:"Oracle JDeveloper Multiple RCE (July 2016 CPU)");
      script_summary(english:"Checks for the patch.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A software development application installed on the remote host is
    affected by multiple remote code execution vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle JDeveloper installed on the remote host is
    missing a security patch. It is, therefore, affected by multiple
    remote code execution vulnerabilities :
    
      - A remote code execution vulnerability exists in the
        Application Development Framework (ADF) Faces
        subcomponent that allows an unauthenticated, remote
        attacker to execute arbitrary code. (CVE-2016-3504)
    
      - A remote code execution vulnerability exists in the
        Apache MyFaces Trinidad component in the
        CoreResponseStateManager subcomponent due to improper
        validation of the ObjectInputStream and
        ObjectOutputStream strings prior to deserialization. An
        unauthenticated, remote attacker can exploit this to
        execute arbitrary code. (CVE-2016-5019)");
      # http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?453b5f8c");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the July 2016 Oracle Critical
    Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5019");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/19");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdeveloper");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_jdeveloper_installed.nbin");
      script_require_keys("installed_sw/Oracle JDeveloper");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("oracle_rdbms_cpu_func.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    app_name = "Oracle JDeveloper";
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    version = install['version'];
    path = install['path'];
    
    patch_info = find_patches_in_ohomes(ohomes:make_list(path, path + "\jdeveloper"));
    patches = make_list();
    
    # this is the resulting list of ohomes
    foreach ohome (keys(patch_info))
    {
      # these are the patches enumerated from each ohome
      foreach info (keys(patch_info[ohome]))
      {
        # build a list of all patches in all ohomes to test against
        patches = make_list(patches, info);
      }
    }
    
    fixes = NULL;
    
    # If any are present, the host should be considered patched.
    if (version =~ "^11\.1\.1\.7($|\.[01]$)")
      fixes = make_list('23622763', '25252636', '25264940', '27251436');
    else if (version =~ "^11\.1\.1\.9($|\.0$)")
      fixes = make_list('23622640', '25245227', '27120730');
    else if (version =~ "^11\.1\.2\.4($|\.0$)")
      fixes = make_list('23754328', '25372028', '24730407', '27213077');
    else if (version =~ "^12\.1\.3\.0($|\.0$)")
      fixes = make_list('23754311', '25324374', '25635721', '26826138', '27131743', '27800100');
    else if (version =~ "^12\.2\.1\.0($|\.0$)")
      fixes = make_list('23622699', '25335432', '25637372');
    else
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);
    
    vuln = TRUE;
    foreach patch (patches)
    {
      foreach fix (fixes)
      {
        if (patch == fix)
        {
          vuln = FALSE;
          break;
        }
      }
      if (!vuln) break;
    }
    
    if (vuln)
    {
      items = make_array("Path", path,
                         "Version", version,
                         "Required patch", join(fixes, sep:", ")
                        );
      order = make_list("Path", "Version", "Required patch");
      report = report_items_str(report_items:items, ordered_fields:order);
    
      security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
      exit(0);
    }
    else
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);
      
    
    
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_JAN_2017_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in the Enterprise Manager Base Platform component : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an
    last seen2020-06-01
    modified2020-06-02
    plugin id96777
    published2017-01-25
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96777
    titleOracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2017 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96777);
      script_version("1.9");
      script_cvs_date("Date: 2018/11/15 20:50:23");
    
      script_cve_id("CVE-2015-7940", "CVE-2016-5019");
      script_bugtraq_id(79091, 93236);
    
      script_name(english:"Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2017 CPU)");
      script_summary(english:"Checks for the patch ID.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An enterprise management application installed on the remote host is
    affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle Enterprise Manager Cloud Control installed on
    the remote host is affected by multiple vulnerabilities in the
    Enterprise Manager Base Platform component :
    
      - A flaw exists in the Bouncy Castle Java library due to
        improper validation of a point within the elliptic
        curve. An unauthenticated, remote attacker can exploit
        this to obtain private keys by using a series of
        specially crafted elliptic curve Diffie-Hellman (ECDH)
        key exchanges, also known as an 'invalid curve attack.'
        (CVE-2015-7940)
    
      - A flaw exists in Apache MyFaces Trinidad, specifically
        in the CoreResponseStateManager component, due to the
        ObjectInputStream and ObjectOutputStream strings being
        used directly without securely deserializing Java input.
        An unauthenticated, remote attacker can exploit this,
        via a deserialization attack using a crafted serialized
        view state string, to have an unspecified impact that
        may include the execution of arbitrary code.
        (CVE-2016-5019)
    
    Note that the product was formerly known as Enterprise Manager Grid
    Control.");
      # https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixEM
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7143085e");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the January 2017 Oracle
    Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/25");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
    
      script_dependencies("oracle_enterprise_manager_installed.nbin");
      script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("oracle_rdbms_cpu_func.inc");
    include("install_func.inc");
    
    product = "Oracle Enterprise Manager Cloud Control";
    install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE);
    version = install['version'];
    emchome = install['path'];
    
    patchid = NULL;
    missing = NULL;
    patched = FALSE;
    
    if (version =~ "^13\.1\.0\.0(\.[0-9]+)?$")
    {
      patchid = "24897689";
      fix = "13.1.0.0.170117";
    }
    else if (version =~ "^12\.1\.0\.5(\.[0-9]+)?$")
    {
      patchid = "24897692";
      fix = "12.1.0.5.170117";
    }
    
    if (isnull(patchid))
      audit(AUDIT_HOST_NOT, 'affected');
    
    # compare version to check if we've already adjusted for patch level during detection
    if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)
      audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome);
    
    # Now look for the affected components
    patchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome));
    if (isnull(patchesinstalled))
      missing = patchid;
    else
    {
      foreach applied (keys(patchesinstalled[emchome]))
      {
        if (applied == patchid)
        {
          patched = TRUE;
          break;
        }
        else
        {
          foreach bugid (patchesinstalled[emchome][applied]['bugs'])
          {
            if (bugid == patchid)
            {
              patched = TRUE;
              break;
            }
          }
          if (patched) break;
        }
      }
      if (!patched)
        missing = patchid;
    }
    
    if (empty_or_null(missing))
      audit(AUDIT_HOST_NOT, 'affected');
    
    order = make_list('Product', 'Version', "Missing patch");
    report = make_array(
      order[0], product,
      order[1], version,
      order[2], patchid
    );
    report = report_items_str(report_items:report, ordered_fields:order);
    
    security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
    

References