Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 771543 (CVE-2021-26296)

Summary: <dev-java/myfaces-api-2.2.14: insecure CSRF token generation (CVE-2021-26296)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: fordfrog, java
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.openwall.com/lists/oss-security/2021/02/18/5
See Also: https://github.com/gentoo/gentoo/pull/19537
Whiteboard: ~4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 698100    

Description John Helmert III gentoo-dev Security 2021-02-19 02:24:46 UTC
CVE-2021-26296:

Description:
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13,
2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use
cryptographically weak implicit and explicit cross-site request forgery
(CSRF) tokens. Due to that limitation, it is possible (although difficult)
for an attacker to calculate a future CSRF token value and to use that
value to trick a user into executing unwanted actions on an application.

This issue is being tracked as MYFACES-4373

Mitigation:
Existing web.xml configuration parameters can be used to direct MyFaces to
use SecureRandom for CSRF token generation:

org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom
org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom
org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom


Please bump to 2.2.13.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-20 10:27:42 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=93accc4d29aece50ff3069af5acf52e19e73956e

commit 93accc4d29aece50ff3069af5acf52e19e73956e
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-02-19 09:07:42 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-02-20 10:27:36 +0000

    dev-java/myfaces-api: bump to 2.2.14 (CVE-2021-26296)
    
    Bug: https://bugs.gentoo.org/771543
    Package-Manager: Portage-3.0.13, Repoman-3.0.2
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/19537
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/myfaces-api/Manifest                  |  1 +
 dev-java/myfaces-api/myfaces-api-2.2.14.ebuild | 42 ++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2021-02-20 10:33:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4a22823d3d6e99a8a5497fa0904beb5467c38a62

commit 4a22823d3d6e99a8a5497fa0904beb5467c38a62
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2021-02-20 10:33:09 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-02-20 10:33:09 +0000

    dev-java/myfaces-api: removed obsolete and vulnerable 2.2.8
    
    Bug: https://bugs.gentoo.org/771543
    Package-Manager: Portage-3.0.14, Repoman-3.0.2
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/myfaces-api/Manifest                 |  1 -
 dev-java/myfaces-api/myfaces-api-2.2.8.ebuild | 44 ---------------------------
 2 files changed, 45 deletions(-)
Comment 3 Miroslav Šulc gentoo-dev 2021-02-20 10:33:56 UTC
we're clean now, you can proceed...
Comment 4 John Helmert III gentoo-dev Security 2021-02-20 15:07:14 UTC
Thank you! All done.