Apache MyFaces Trinidad CVE-2016-5019 Remote Code Execution Vulnerability

Apache MyFaces Trinidad is prone to a security vulnerability.

Successfully exploiting this issue allows attackers to obtain sensitive information or execute arbitrary code in the context of the affected application.

Apache MyFaces Trinidad 1.2.14-core , 1.0.13-core , 2.0.1-core and 2.1.1-core are vulnerable.

Information

Bugtraq ID: 93236
Class: Serialization Error
CVE: CVE-2016-5019

Remote: Yes
Local: No
Published: Sep 29 2016 12:00AM
Updated: Apr 19 2017 06:05PM
Credit: Teemu Kääriäinen and Andy Schwartz.
Vulnerable: Oracle Utilities Customer Self Service 2.1.0.2.0
Oracle StorageTek Tape Analytics SW Tool 0
Oracle Enterprise Manager Base Platform 13.2.0.0
Oracle Enterprise Manager Base Platform 13.1.0.0
Oracle Enterprise Manager Base Platform 12.1.0.5
Oracle Application Testing Suite 12.5.0.3
Apache MyFaces Trinidad 2.1.1
Apache MyFaces Trinidad 2.0.1
Apache MyFaces Trinidad 1.2.14
Apache MyFaces Trinidad 1.0.13

Not Vulnerable: Oracle StorageTek Tape Analytics SW Tool 2.2.1
Apache MyFaces Trinidad 2.1.2
Apache MyFaces Trinidad 2.0.2
Apache MyFaces Trinidad 1.2.15

References:

• CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerabili (Seclists.org)
  
• Apache Homepage (Apache)
  
• Apache MyFaces Trinidad Homepage (Apache)
  
• CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerabilit (Apache)
  
• Oracle Critical Patch Update Advisory - April 2017 (Oracle)
  
• Oracle Critical Patch Update Advisory - January 2017 (Oracle)
  

Source: www.securityfocus.com