Oracle Mojarra EL Expression Evaluation Security Bypass Vulnerability

Bugtraq ID:	50846
Class:	Design Error
CVE:	CVE-2011-4358
Remote:	Yes
Local:	No
Published:	Nov 29 2011 12:00AM
Updated:	Jul 17 2012 10:50PM
Credit:	balusc
Vulnerable:	Sun Glassfish Enterprise Server 3.1.1 Sun Glassfish Enterprise Server 3.0.1 Oracle Mojarra 2.1.3 Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64
Not Vulnerable:	Oracle Mojarra 2.2 Oracle Mojarra 2.1.5

Oracle Mojarra EL Expression Evaluation Security Bypass Vulnerability

Oracle Mojarra is prone to a security-bypass vulnerability.

Attackers can exploit this issue to bypass certain security protections and execute arbitrary script code in the browser of an unsuspecting user in the context of an affected application.

Oracle Mojarra EL Expression Evaluation Security Bypass Vulnerability

Few code examples are available to demonstrate this issue. Please see the references for more information.

Oracle Mojarra EL Expression Evaluation Security Bypass Vulnerability

Solution:
Updates are available. Please see the references for more information.

Oracle Mojarra EL Expression Evaluation Security Bypass Vulnerability

References:

• includeViewParameters re-evaluates param/model values as EL expressions (JIRA)
  
• Oracle Mojarra Homepage (Oracle)
  
• Oracle Critical Patch Update Advisory - July 2012 (Oracle)