JVNDB-2015-000118

Apache Tapestry deserializes untrusted data

Apache Tapestry contains a vulnerability where it may deserialize untrusted data.

Apache Tapestry is a framework for creating Java web applications. Apache Tapestry contains an interface where client side serialized data sent to the server is deserialized after it is received by the server. This data serialization / deserialization process does not contain data validation. Therefore, if the serialized data is altered, the server will deserailze data without validating the data (CWE-502).

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Applications that are created using the following versions are affected:

Apache Software Foundation

• Apache Tapestry 5.0.x (all versions)
• Apache Tapestry 5.1.x (all versions)
• Apache Tapestry 5.2.x (all versions)
• Apache Tapestry 5.3 to 5.3.5

According to the developer, unsupported versions of Tapestry, 3.x and 4.x versions may be affected by this issue.

When specially crafted input is processed, arbitrary files may be written or arbitrary code may be executed on the application server.

[Apply an Update]
Update to the latest version according to the information provided by the developer.

Apache Software Foundation

• Apache Software Foundation : Release Notes 5.3.6
• ASF JIRA : Serialized object data stored on the client should be HMAC signed and validated

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2014-1972

1. JVN : JVN#17611367
2. National Vulnerability Database (NVD) : CVE-2014-1972
3. JPCERT : OracleJava-AtomicReferenceArray.pdf (in Japanese)
4. Related Information : SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary

• [2015/08/20]
    Web page was published
  [2015/08/26]
    References : Content was added