URGENT: Mining-script in Primfaces-Page? Where does it come from??

UI Components for JSF
Melloware
Posts: 3717
Joined: 22 Apr 2013, 15:48

16 Jan 2018, 03:24

SO can someone affected deploy an app with 6.1 PF and verify that app on the same infrastructure is not affected? That will help determine if it was fixed by that 5.3 patch for the EL injection bug?
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1

tak3shi
Posts: 6
Joined: 25 Apr 2013, 22:58

16 Jan 2018, 09:02

I have restored my server from backup and replaced Primefaces JAR with 6.1 and the Primefaces Extensions yesterday without any further changes. Until now the .xhtml files are untouched.

Melloware
Posts: 3717
Joined: 22 Apr 2013, 15:48

16 Jan 2018, 14:29

Excellent tak3shi thanks for reporting back. Keep us in the loop.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1

kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

16 Jan 2018, 14:37

Please @Melloware, read https://github.com/primefaces/primeface ... -184753216. PF should have done this... It's a security fix and you cannot expect everyone to always upgrade to the latest versions... Bad, bad, bad publicity coming out now unfortunately which could have simply been prevented

Melloware
Posts: 3717
Joined: 22 Apr 2013, 15:48

16 Jan 2018, 14:44

@kukeltje I agree with you. If something is a major security flaw like this one a Community version should have been put out for people to mitigate the risk.
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1

kukeltje
Expert Member
Posts: 9605
Joined: 17 Jun 2010, 13:34
Location: Netherlands

17 Jan 2018, 22:35

It's never too late to right a wrong

chimmelb
Posts: 5
Joined: 17 Jan 2018, 22:39

17 Jan 2018, 22:59

This hack affected our site as well. Same scripts and duckdns for deepMiner.js. Same error logs with StreamedContentHandler, looking like issue #1152 from Git Issues. Redeploying our WAR removed the changed files.

We are using PF 5.3 of some kind (app was built and running before I arrived, trying to see what point release we have). Looking to upgrade to a safer version. Is there a 5.3.x version that is patched, or does this require going to 6.1? I don't see any licenses in our company's documentation, so I think we are just using the community versions from Maven.

chimmelb
Posts: 5
Joined: 17 Jan 2018, 22:39

17 Jan 2018, 23:10

This issue affected us as well. Same deepMiner.js and script, same java exception at StreamedContentHandler (pointing to GItHub Issue #1152). Redeploying our WAR file overwrote the affected files, so that's a plus.

Looking to upgrade from version 5.3 to version 6.1, will see how hard that upgrade path is with our web app).

Wanted to confirm another instance of this, and that our analysis points to the same as this thread.

chimmelb
Posts: 5
Joined: 17 Jan 2018, 22:39

18 Jan 2018, 01:58

I could also add that our supporting environment is Linux, nginx, and Glassfish. Different than the apache, Payara, Wildfly of other posters. Common denominator seems to be PF 5.3. I've updated to PF 6.1 and will report back if this is seen again.

Melloware
Posts: 3717
Joined: 22 Apr 2013, 15:48

18 Jan 2018, 14:46

Guys,

I don't work for PrimeFaces so I am not trying to sell anything. But if you need immediate relief with little regression testing you can sign up to Elite for 99$ a year you can download version 5.3.17 which is patched with this fix.

https://www.primefaces.org/support/

Just wanted to give you an option that will get you out the jam today!
PrimeFaces Developer | PrimeFaces Extensions Developer
GitHub Profile: https://github.com/melloware
PrimeFaces Elite 13.0.0 / PF Extensions 13.0.0
PrimeReact 9.6.1

Post Reply

Return to “PrimeFaces”

  • Information
  • Who is online

    Users browsing this forum: No registered users and 4 guests