-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.causeway.commons:causeway-commons | maven | < 3.5.0 | 3.5.0 |
| org.apache.causeway.core:causeway-applib | maven | < 3.5.0 | 3.5.0 |
| org.apache.causeway.core:causeway-core | maven | < 3.5.0 | 3.5.0 |
| org.apache.causeway.viewer:causeway-viewer-wicket | maven | < 3.5.0 | 3.5.0 |
Miggo AIRoot Cause AnalysisThe vulnerability exists because Apache Causeway deserialized ViewModel state from URL parameters (bookmarks) without verifying the integrity of the data. This allowed an attacker to craft a malicious URL containing a serialized Java object, which, when processed by the application, would lead to Remote Code Execution (RCE).
The vulnerability was present in multiple locations where ViewModel mementos were deserialized. The core of the issue was the use of java.io.ObjectInputStream.readObject() on data derived directly from user-controllable URL parameters.
The patch addresses this fundamental flaw by introducing a robust security mechanism: HMAC (Hash-based Message Authentication Code) signing for all ViewModel mementos. Here's a breakdown of the fix:
HMAC Signing and Verification: A new HmacAuthority service and HmacUrlCodec were introduced. Before a ViewModel memento is placed in a URL, it is now digitally signed. When a memento is received from a URL, its signature is verified against the content. If the signature is invalid or doesn't match, the operation is aborted, preventing the deserialization of tampered data.
Secure Deserialization Flow: A new SecureViewModelFacet class was created to enforce this secure workflow. It ensures that any attempt to instantiate a ViewModel from a bookmark first goes through HMAC verification. Only if the data is trusted is the deserialization process allowed to proceed.
Removal of Vulnerable Code: The old, insecure classes and methods were removed or refactored. For example, _MementoDefault, which performed direct deserialization, was deleted. The ViewModelFacetForSerializableInterface.deserialize method was replaced with a new implementation within the SecureViewModelFacet hierarchy that operates only on trusted, verified data.
Explicit Warnings: In the _Serializables utility class, which contains the low-level read methods, explicit warnings about the dangers of deserialization were added to the code comments. The method parameters were also renamed from input to trustedBytes to make the intended usage clear to developers.
The identified vulnerable functions are the specific methods that, prior to the patch, were responsible for the unsafe deserialization of these ViewModel mementos. By exploiting these functions, an attacker could gain control over the application.