CVE-2012-2672

Vulnerability

Oracle Mojarra 2.1.7 does not properly clean up the FacesContext reference held in a ThreadLocal during application startup. When a JSF WAR calls FacesContext.getCurrentInstance() during its startup, the context is not cleared, leaving a stale reference that can be accessed by another WAR deployed in the same application server [4]. This affects Mojarra versions prior to the fix (e.g., 2.1.7) and JBoss Enterprise Application Platform versions that bundle it.

Exploitation

An attacker must be able to deploy a malicious WAR or have a WAR that can call FacesContext.getCurrentInstance() during the startup phase. The attacker's WAR can then read the leftover FacesContext from another WAR that previously called the same method during its own startup. No network access is required; the attack is local to the application server's JVM [4].

Impact

Successful exploitation allows the attacker's WAR to obtain the FacesContext of another WAR, potentially gaining access to that WAR's resources, including session data, request parameters, and other sensitive information. This can lead to information disclosure across application boundaries within the same server [4].

Mitigation

Red Hat released updates for JBoss Enterprise Application Platform that include the fix: RHSA-2012-1591 (JBoss EAP 6.4 for RHEL 5) [1] and RHSA-2012-1592 (JBoss EAP from RHUI 6) [2]. Upstream, the issue was fixed in Mojarra via bug JAVASERVERFACES-2436. Users should upgrade to the patched version of Mojarra or apply the relevant JBoss EAP update. No workaround is documented.