Oracle Mojarra uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack, a related issue to CVE-2010-2057.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mojarra | Oracle | 1.1 (including) | 1.1 (including) |
| Mojarra | Oracle | 1.1_02 (including) | 1.1_02 (including) |
| Mojarra | Oracle | 1.2 (including) | 1.2 (including) |
| Mojarra | Oracle | 1.2_01 (including) | 1.2_01 (including) |
| Mojarra | Oracle | 1.2_02 (including) | 1.2_02 (including) |
| Mojarra | Oracle | 1.2_03 (including) | 1.2_03 (including) |
| Mojarra | Oracle | 1.2_04 (including) | 1.2_04 (including) |
| Mojarra | Oracle | 1.2_05 (including) | 1.2_05 (including) |
| Mojarra | Oracle | 1.2_06 (including) | 1.2_06 (including) |
| Mojarra | Oracle | 1.2_07 (including) | 1.2_07 (including) |
| Mojarra | Oracle | 1.2_08 (including) | 1.2_08 (including) |
| Mojarra | Oracle | 1.2_09 (including) | 1.2_09 (including) |
| Mojarra | Oracle | 1.2_10 (including) | 1.2_10 (including) |
| Mojarra | Oracle | 1.2_11 (including) | 1.2_11 (including) |
| Mojarra | Oracle | 1.2_12 (including) | 1.2_12 (including) |
| Mojarra | Oracle | 1.2_13 (including) | 1.2_13 (including) |
| Mojarra | Oracle | 1.2_14 (including) | 1.2_14 (including) |
| Mojarra | Oracle | 1.2_15 (including) | 1.2_15 (including) |
| Mojarra | Oracle | 2.0.0 (including) | 2.0.0 (including) |
| Mojarra | Oracle | 2.0.1 (including) | 2.0.1 (including) |
| Mojarra | Oracle | 2.0.2 (including) | 2.0.2 (including) |
| Mojarra | Oracle | 2.0.3 (including) | 2.0.3 (including) |