A vulnerability was found that deserializes the HTTP parameter `javax.faces.ViewState`,
With a specifically crafted HTTP request, it is possible to obtain arbitrary command execution on myExampleDomain.com. No user or authentication is necessary. Attackers must create a serialized Java object with their command execution payload, then send it via HTTP to myExampleDomain.com. Data ex-filtration is possible via at least DNS.
Release : 14.2
Component : IdentityMinder(Identity Manager)
Add the following line into web.xml file which is under <iam_im.ear_location>/user_console.war/WEB-INF, after last line of </context-param>.
<context-param>
<param-name>org.apache.myfaces.secret</param-name>
<param-value>[any secret key]</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.algorithm</param-name>
<param-value>AES</param-value>
</context-param>
The parameter [any custom key] will need to be in the format accepted by the encryption method select.
The algorithm is use for encryption and decryption and this change can be used environment with or without FIPS enabled.This examples uses AES encyption, However any algorithm that is supported by JAVA can be used.
In this example use secret key was 32 bytes.