CVE-2021-26296

Name of the Vulnerable Software and Affected Versions Apache MyFaces Core versions 2.2.0 through 2.2.13 Apache MyFaces Core versions 2.3.0 through 2.3.7 Apache MyFaces Core versions 2.3-next-M1 through 2.3-next-M4 Apache MyFaces Core version 3.0.0-RC1

Description The issue arises from the use of cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens in the default configuration. This weakness makes it possible, although difficult, for an attacker to calculate a future CSRF token value and use it to trick a user into executing unwanted actions on an application.

Recommendations For Apache MyFaces Core versions 2.2.0 through 2.2.13, update the web.xml configuration parameters to use SecureRandom for CSRF token generation by setting org.apache.myfaces.RANDOM KEY IN VIEW STATE SESSION TOKEN, org.apache.myfaces.RANDOM KEY IN CSRF SESSION TOKEN, and org.apache.myfaces.RANDOM KEY IN WEBSOCKET SESSION TOKEN to secureRandom. For Apache MyFaces Core versions 2.3.0 through 2.3.7, update the web.xml configuration parameters to use SecureRandom for CSRF token generation by setting org.apache.myfaces.RANDOM KEY IN VIEW STATE SESSION TOKEN, org.apache.myfaces.RANDOM KEY IN CSRF SESSION TOKEN, and org.apache.myfaces.RANDOM KEY IN WEBSOCKET SESSION TOKEN to secureRandom. For Apache MyFaces Core versions 2.3-next-M1 through 2.3-next-M4, update the web.xml configuration parameters to use SecureRandom for CSRF token generation by setting org.apache.myfaces.RANDOM KEY IN VIEW STATE SESSION TOKEN, org.apache.myfaces.RANDOM KEY IN CSRF SESSION TOKEN, and org.apache.myfaces.RANDOM KEY IN WEBSOCKET SESSION TOKEN to secureRandom. For Apache MyFaces Core version 3.0.0-RC1, update the web.xml configuration parameters to use SecureRandom for CSRF token generation by setting org.apache.myfaces.RANDOM KEY IN VIEW STATE SESSION TOKEN, org.apache.myfaces.RANDOM KEY IN CSRF SESSION TOKEN, and org.apache.myfaces.RANDOM KEY IN WEBSOCKET SESSION TOKEN to secureRandom.