PH62753:IBM WebSphere Application Server is vulnerable to a denial of service (CVE-2024-45085 CVSS 5.9)

View the Security Bulletin

PH62753 resolves the following problem:

ERROR DESCRIPTION:
IBM WebSphere Application Server is vulnerable to a denial of service when a JSF application configured with Sun Reference Implementation 1.2 is deployed

PROBLEM SUMMARY:
IBM WebSphere Application Server is vulnerable to a denial of service, under certain configurations, caused by an unexpected specially crafted request. A remote attacker could exploit this vulnerability to cause an error resulting in a denial of service.

The CVE ID is CVE-2024-45085.

PROBLEM CONCLUSION:
IBM WebSphere Application Server is vulnerable to a denial of service when a JSF application configured with Sun Reference Implementation 1.2 is deployed.

The code is updated to avoid this issue and to be more secure by default. A number of changes have been introduced.

Breaking Change:
This APAR updated the encryption from DES to AES. This means key sizes (set via com.sun.faces.ClientStateSavingPassword) must be updated to be either 16, 24, or 32 characters (128, 192, and 256 bits, respectively). This password must also Base64 encoded. For example: if you are using "asdf1234asdf1234" (16 characters) as the key, then the web.xml file must reference "YXNkZjEyMzRhc2RmMTIzNA==".  For example:

 

<env-entry-name>com.sun.faces.ClientStateSavingPassword</env-entry-name> <env-entry-value>YXNkZjEyMzRhc2RmMTIzNA==</env-entry-value> <env-entry-type>java.lang.String</env-entry-type> </env-entry>

If it is configured incorrectly, a decoding error or key size exception is emitted.

Context Parameters Changes:
- com.sun.faces.generateUniqueServerStateIds (new)
By default, this property is set to true and it creates random viewstate ids for server side state saving which helps combat CSRF attacks. If set to false, it uses sequential ids, which is the behavior prior to this APAR.

- com.sun.faces.disableClientStateEncryption (new)

Client side state saving is always encrypted, either with a randomly generated key or a key set with the com.sun.faces.ClientStateSavingPassword property. To disable encryption, change this value to true.

- com.sun.faces.autoCompleteOffOnViewState (new)
When this property is set to true, it adds the autocomplete="off" attribute to the viewstate element in the HTML to prevent browsers from using a previous viewstate by accident. By default, this property is set to false.

- com.sun.faces.compressViewState (updated)
This now compresses the server-side viewstate when com.sun.faces.serializeServerState is also enabled. By default, compression is enabled, but serializeServerState is still disabled by default.

The fix for this APAR is targeted for inclusion in 8.5.5.27.

For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553