Vulnerability CVE-2021-26296 - CERT Civis.Net

Vulnerability Name:

CVE-2021-26296 (CCN-197017)

Assigned:

2021-02-18

Published:

2021-02-18

Updated:

2021-06-02

Summary:

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

5.1 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-26296

Source: MISC
Type: Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces

Source: XF
Type: UNKNOWN
apache-cve202126296-csrf(197017)

Source: CCN
Type: myfaces GIT Repository
MYFACES-4373: make sure SecureRandom is used for invalid configs #134

Source: MISC
Type: Mailing List, Vendor Advisory
https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E

Source: CCN
Type: Packet Storm Security [02-20-2021]
Apache MyFaces 2.x Cross Site Request Forgery

Source: CCN
Type: oss-sec Mailing List, Thu, 18 Feb 2021 12:53:39 -0500
CVE-2021-26296: Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210528-0007/

Source: CCN
Type: IBM Security Bulletin 6441433 (WebSphere Application Server)
Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296)

Source: CCN
Type: IBM Security Bulletin 6446257 (Liberty for Java)
Vulnerability in Apache MyFaces affects Liberty for Java for IBM Cloud (CVE-2021-26296)

Source: CCN
Type: IBM Security Bulletin 6452161 (Cloud Orchestrator)
Vulnerabilities in WebSphere Application Server affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise

Source: CCN
Type: IBM Security Bulletin 6454803 (Spectrum Control)
Vulnerabilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Node.js affect IBM Spectrum Control

Source: CCN
Type: IBM Security Bulletin 6455913 (Tivoli Application Dependency Discovery Manager)
Information disclosure vulnerability in WebSphere Application Server Liberty

Source: CCN
Type: IBM Security Bulletin 6457783 (Content Collector for Email)
Embedded WebSphere Application Server is vulnerable to Apache MyFaces, which affects Content Collector for Email

Source: CCN
Type: IBM Security Bulletin 6465127 (Cloud Pak for Automation)
Multiple vulnerabilities affect IBM Cloud Pak for Automation

Source: CCN
Type: IBM Security Bulletin 6466323 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is affected by a vulnerability in WebSphere Application Server Liberty (CVE-2021-26296)

Source: CCN
Type: IBM Security Bulletin 6467155 (Rational Asset Analyzer)
Rational Asset Analyzer (RAA) is affected by a WebSphere Application Server vulnerability (CVE-2021-26296)

Source: CCN
Type: IBM Security Bulletin 6469907 (NovaLink)
Novalink is impacted by Apache MyFaces affects WebSphere Liberty, middle vulnerability in WebSphere Application Server Liberty (CVE-2021-26296)

Source: CCN
Type: IBM Security Bulletin 6470235 (CICS TX on Cloud)
A vulnerability in WebSphere Application Server Liberty affects IBM CICS TX on Cloud

Source: CCN
Type: IBM Security Bulletin 6471655 (Tivoli Monitoring)
Multiple vulnerabilities affect IBM Tivoli Monitoring installed WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 6471953 (Common Licensing)
Multiple Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM LKS Administration and Reporting Tool and its Agent

Source: CCN
Type: IBM Security Bulletin 6485501 (TXSeries for Multiplatforms)
A vulnerability in WebSphere Application Server Liberty affects TXSeries for Multiplatforms

Source: CCN
Type: IBM Security Bulletin 6486349 (Cloud Private)
IBM Cloud Private is vulnerable to Apache vulnerabilities (CVE-2021-26296)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-26296

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:myfaces:*:*:*:*:*:*:*:* (Version >= 2.2.0 and <= 2.2.13)

OR cpe:/a:apache:myfaces:2.3:next-m1:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:2.3:next-m2:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:2.3:next-m3:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:2.3:next-m4:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:*:*:*:*:*:*:*:* (Version >= 2.3.0 and <= 2.3.7)

OR cpe:/a:apache:myfaces:3.0.0:rc1:*:*:*:*:*:*

Configuration 2:

cpe:/a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:myfaces:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:2.2.13:*:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:2.3.0:-:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:2.3.7:*:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:2.3:next-m1:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:2.3:next-m4:*:*:*:*:*:*

OR cpe:/a:apache:myfaces:3.0.0:rc1:*:*:*:*:*:*

AND

cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_asset_analyzer:6.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_monitoring:6.3.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_orchestrator:2.5.0.10:*:*:*:-:*:*:*

OR cpe:/a:ibm:content_collector:4.0.1:*:*:*:email:*:*:*

OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:txseries:8.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:txseries:8.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:txseries:8.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:txseries:8.2.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:txseries:9.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*

OR cpe:/a:ibm:rational_asset_analyzer:6.1.0.23:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.4:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.5:*:standard:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.3.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_control:5.4.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*

OR cpe:/a:ibm:websphere_application_server:21.0.0.3:*:*:*:liberty:*:*:*

OR cpe:/a:ibm:cloud_pak_for_automation:21.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:txseries:9.1.0.2:*:*:*:*:*:*:*

Denotes that component is vulnerable