Apache Tapestry deserializes untrusted data


Apache Tapestry contains a vulnerability where it may deserialize untrusted data.

Apache Tapestry is a framework for creating Java web applications. Apache Tapestry contains an interface where client side serialized data sent to the server is deserialized after it is received by the server. This data serialization / deserialization process does not contain data validation. Therefore, if the serialized data is altered, the server will deserailze data without validating the data (CWE-502).

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Applications that are created using the following versions are affected:

Apache Software Foundation
  • Apache Tapestry 5.0.x (all versions)
  • Apache Tapestry 5.1.x (all versions)
  • Apache Tapestry 5.2.x (all versions)
  • Apache Tapestry 5.3 to 5.3.5

According to the developer, unsupported versions of Tapestry, 3.x and 4.x versions may be affected by this issue.

When specially crafted input is processed, arbitrary files may be written or arbitrary code may be executed on the application server.

[Apply an Update]
Update to the latest version according to the information provided by the developer.
Vendor Information

Apache Software Foundation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-1972

  1. JVN : JVN#17611367
  2. National Vulnerability Database (NVD) : CVE-2014-1972
  3. JPCERT : OracleJava-AtomicReferenceArray.pdf (in Japanese)
  4. Related Information : SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary
Revision History

  • [2015/08/20]
      Web page was published
      References : Content was added