Vulnerabilities > CVE-2016-5019 - Deserialization of Untrusted Data vulnerability in Apache Myfaces Trinidad
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family CGI abuses NASL id ORACLE_PRIMAVERA_P6_EPPM_CPU_JUL_2017.NASL description According to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 8.3.x prior to 8.3.15.4, 8.4.x prior to 8.4.15.2, 15.x prior to 15.2.15.1, or 16.x prior to 16.2.9.0. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the Web Access component, specifically in Apache MyFaces Trinidad in CoreResponseStateManager, due to using ObjectInputStream and ObjectOutputStream strings directly without securely deserializing Java input. An unauthenticated, remote attacker can exploit this, via a crafted serialized view state string, to execute arbitrary code. (CVE-2016-5019) - Multiple unspecified flaws exist in the Web Access component that allow an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10038, CVE-2017-10160) - An unspecified flaw exists in the Web Access component that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-10046) - An unspecified flaw exists in the Web Access component that allows an authenticated, remote attacker to impact confidentiality, integrity, and availability. (CVE-2017-10131) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 101900 published 2017-07-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101900 title Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (July 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(101900); script_version("1.7"); script_cvs_date("Date: 2019/11/12"); script_cve_id( "CVE-2016-5019", "CVE-2017-10038", "CVE-2017-10046", "CVE-2017-10131", "CVE-2017-10160" ); script_bugtraq_id( 93236, 99751, 99757, 99770, 99793 ); script_name(english:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (July 2017 CPU)"); script_summary(english:"Checks the version of Oracle Primavera P6 EPPM."); script_set_attribute(attribute:"synopsis", value: "An application running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 8.3.x prior to 8.3.15.4, 8.4.x prior to 8.4.15.2, 15.x prior to 15.2.15.1, or 16.x prior to 16.2.9.0. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the Web Access component, specifically in Apache MyFaces Trinidad in CoreResponseStateManager, due to using ObjectInputStream and ObjectOutputStream strings directly without securely deserializing Java input. An unauthenticated, remote attacker can exploit this, via a crafted serialized view state string, to execute arbitrary code. (CVE-2016-5019) - Multiple unspecified flaws exist in the Web Access component that allow an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10038, CVE-2017-10160) - An unspecified flaw exists in the Web Access component that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-10046) - An unspecified flaw exists in the Web Access component that allows an authenticated, remote attacker to impact confidentiality, integrity, and availability. (CVE-2017-10131) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76f5def7"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) version 8.3.15.4 / 8.4.15.2 / 15.2.15.1 / 16.2.9.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/29"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/21"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_p6_eppm"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_primavera_p6_eppm.nbin"); script_require_keys("installed_sw/Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", "www/weblogic"); script_require_ports("Services/www", 8004); exit(0); } include("http.inc"); include("vcf.inc"); get_install_count(app_name:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", exit_if_zero:TRUE); port = get_http_port(default:8004); get_kb_item_or_exit("www/weblogic/" + port + "/installed"); app_info = vcf::get_app_info(app:"Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM)", port:port); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ { "min_version" : "8.3.0.0", "max_version" : "8.3.15.4", "fixed_version" : "8.3.15.4" }, { "min_version" : "8.4.0.0", "max_version" : "8.4.15.2", "fixed_version" : "8.4.15.2" }, { "min_version" : "15.0.0.0", "max_version" : "15.2.15.1", "fixed_version" : "15.2.15.1" }, { "min_version" : "16.0.0.0", "max_version" : "16.2.9.0", "fixed_version" : "16.2.9.0" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family Misc. NASL id ORACLE_JDEVELOPER_CPU_JULY_2016.NASL description The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by multiple remote code execution vulnerabilities : - A remote code execution vulnerability exists in the Application Development Framework (ADF) Faces subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3504) - A remote code execution vulnerability exists in the Apache MyFaces Trinidad component in the CoreResponseStateManager subcomponent due to improper validation of the ObjectInputStream and ObjectOutputStream strings prior to deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5019) last seen 2020-06-01 modified 2020-06-02 plugin id 93592 published 2016-09-19 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93592 title Oracle JDeveloper Multiple RCE (July 2016 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(93592); script_version("1.12"); script_cvs_date("Date: 2019/02/07 10:19:52"); script_cve_id("CVE-2016-3504", "CVE-2016-5019"); script_bugtraq_id(92023, 93236); script_name(english:"Oracle JDeveloper Multiple RCE (July 2016 CPU)"); script_summary(english:"Checks for the patch."); script_set_attribute(attribute:"synopsis", value: "A software development application installed on the remote host is affected by multiple remote code execution vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by multiple remote code execution vulnerabilities : - A remote code execution vulnerability exists in the Application Development Framework (ADF) Faces subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3504) - A remote code execution vulnerability exists in the Apache MyFaces Trinidad component in the CoreResponseStateManager subcomponent due to improper validation of the ObjectInputStream and ObjectOutputStream strings prior to deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5019)"); # http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?453b5f8c"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2016 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5019"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/19"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jdeveloper"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_jdeveloper_installed.nbin"); script_require_keys("installed_sw/Oracle JDeveloper"); exit(0); } include("global_settings.inc"); include("oracle_rdbms_cpu_func.inc"); include("misc_func.inc"); include("install_func.inc"); app_name = "Oracle JDeveloper"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); version = install['version']; path = install['path']; patch_info = find_patches_in_ohomes(ohomes:make_list(path, path + "\jdeveloper")); patches = make_list(); # this is the resulting list of ohomes foreach ohome (keys(patch_info)) { # these are the patches enumerated from each ohome foreach info (keys(patch_info[ohome])) { # build a list of all patches in all ohomes to test against patches = make_list(patches, info); } } fixes = NULL; # If any are present, the host should be considered patched. if (version =~ "^11\.1\.1\.7($|\.[01]$)") fixes = make_list('23622763', '25252636', '25264940', '27251436'); else if (version =~ "^11\.1\.1\.9($|\.0$)") fixes = make_list('23622640', '25245227', '27120730'); else if (version =~ "^11\.1\.2\.4($|\.0$)") fixes = make_list('23754328', '25372028', '24730407', '27213077'); else if (version =~ "^12\.1\.3\.0($|\.0$)") fixes = make_list('23754311', '25324374', '25635721', '26826138', '27131743', '27800100'); else if (version =~ "^12\.2\.1\.0($|\.0$)") fixes = make_list('23622699', '25335432', '25637372'); else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path); vuln = TRUE; foreach patch (patches) { foreach fix (fixes) { if (patch == fix) { vuln = FALSE; break; } } if (!vuln) break; } if (vuln) { items = make_array("Path", path, "Version", version, "Required patch", join(fixes, sep:", ") ); order = make_list("Path", "Version", "Required patch"); report = report_items_str(report_items:items, ordered_fields:order); security_report_v4(port:0, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);
NASL family Misc. NASL id ORACLE_ENTERPRISE_MANAGER_JAN_2017_CPU.NASL description The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in the Enterprise Manager Base Platform component : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an last seen 2020-06-01 modified 2020-06-02 plugin id 96777 published 2017-01-25 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96777 title Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96777); script_version("1.9"); script_cvs_date("Date: 2018/11/15 20:50:23"); script_cve_id("CVE-2015-7940", "CVE-2016-5019"); script_bugtraq_id(79091, 93236); script_name(english:"Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2017 CPU)"); script_summary(english:"Checks for the patch ID."); script_set_attribute(attribute:"synopsis", value: "An enterprise management application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in the Enterprise Manager Base Platform component : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an 'invalid curve attack.' (CVE-2015-7940) - A flaw exists in Apache MyFaces Trinidad, specifically in the CoreResponseStateManager component, due to the ObjectInputStream and ObjectOutputStream strings being used directly without securely deserializing Java input. An unauthenticated, remote attacker can exploit this, via a deserialization attack using a crafted serialized view state string, to have an unspecified impact that may include the execution of arbitrary code. (CVE-2016-5019) Note that the product was formerly known as Enterprise Manager Grid Control."); # https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixEM script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7143085e"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the January 2017 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/15"); script_set_attribute(attribute:"patch_publication_date", value:"2017/01/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/25"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:enterprise_manager"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_dependencies("oracle_enterprise_manager_installed.nbin"); script_require_keys("installed_sw/Oracle Enterprise Manager Cloud Control"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("oracle_rdbms_cpu_func.inc"); include("install_func.inc"); product = "Oracle Enterprise Manager Cloud Control"; install = get_single_install(app_name:product, exit_if_unknown_ver:TRUE); version = install['version']; emchome = install['path']; patchid = NULL; missing = NULL; patched = FALSE; if (version =~ "^13\.1\.0\.0(\.[0-9]+)?$") { patchid = "24897689"; fix = "13.1.0.0.170117"; } else if (version =~ "^12\.1\.0\.5(\.[0-9]+)?$") { patchid = "24897692"; fix = "12.1.0.5.170117"; } if (isnull(patchid)) audit(AUDIT_HOST_NOT, 'affected'); # compare version to check if we've already adjusted for patch level during detection if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0) audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome); # Now look for the affected components patchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome)); if (isnull(patchesinstalled)) missing = patchid; else { foreach applied (keys(patchesinstalled[emchome])) { if (applied == patchid) { patched = TRUE; break; } else { foreach bugid (patchesinstalled[emchome][applied]['bugs']) { if (bugid == patchid) { patched = TRUE; break; } } if (patched) break; } } if (!patched) missing = patchid; } if (empty_or_null(missing)) audit(AUDIT_HOST_NOT, 'affected'); order = make_list('Product', 'Version', "Missing patch"); report = make_array( order[0], product, order[1], version, order[2], patchid ); report = report_items_str(report_items:report, ordered_fields:order); security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
References
- http://mail-archives.apache.org/mod_mbox/myfaces-users/201609.mbox/%3CCAM1yOjYM%2BEW3mLUfX0pNAVLfUFRAw-Bhvkp3UE5%3DEQzR8Yxsfw%40mail.gmail.com%3E
- http://mail-archives.apache.org/mod_mbox/myfaces-users/201609.mbox/%3CCAM1yOjYM%2BEW3mLUfX0pNAVLfUFRAw-Bhvkp3UE5%3DEQzR8Yxsfw%40mail.gmail.com%3E
- http://packetstormsecurity.com/files/138920/Apache-MyFaces-Trinidad-Information-Disclosure.html
- http://packetstormsecurity.com/files/138920/Apache-MyFaces-Trinidad-Information-Disclosure.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/93236
- http://www.securityfocus.com/bid/93236
- http://www.securitytracker.com/id/1037633
- http://www.securitytracker.com/id/1037633
- https://issues.apache.org/jira/browse/TRINIDAD-2542
- https://issues.apache.org/jira/browse/TRINIDAD-2542
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html