Unauthenticated Remote Command Execution in IM 14.2
search cancel

Unauthenticated Remote Command Execution in IM 14.2

book

Article ID: 139441

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

A vulnerability was found that deserializes the HTTP parameter `javax.faces.ViewState`,


With a specifically crafted HTTP request, it is possible to obtain arbitrary command execution on myExampleDomain.com.  No user or authentication is necessary. Attackers must create a serialized Java object with their command execution payload, then send it via HTTP to myExampleDomain.com. Data ex-filtration is possible via at least DNS.



Environment

Release : 14.2

Component : IdentityMinder(Identity Manager)

Resolution

Add the following line into web.xml file which is under <iam_im.ear_location>/user_console.war/WEB-INF, after last line of </context-param>.



<context-param>

    <param-name>org.apache.myfaces.secret</param-name>

    <param-value>[any secret key]</param-value>

</context-param>


<context-param>

    <param-name>org.apache.myfaces.algorithm</param-name>

    <param-value>AES</param-value>

</context-param>



The parameter [any custom key] will need to be in the format accepted by the encryption method select.

The algorithm is use for encryption and decryption and this change can be used environment with or without FIPS enabled.

This examples uses AES encyption, However any algorithm that is supported by JAVA can be used.  


In this example  use secret key was 32 bytes.