RichFaces Framework up to 3.3.4 org.ajax4jsf.resource.UserResource$UriData Serialized Object code injection

Summaryinfo

A vulnerability has been found in RichFaces Framework up to 3.3.4 and classified as critical. Affected by this issue is some unknown functionality of the component org.ajax4jsf.resource.UserResource$UriData. The manipulation as part of Serialized Object leads to code injection. This vulnerability is traded as CVE-2018-14667. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability, which was classified as critical, has been found in RichFaces Framework up to 3.3.4. This issue affects an unknown part of the component org.ajax4jsf.resource.UserResource$UriData. The manipulation as part of a Serialized Object leads to a code injection vulnerability. Using CWE to declare the problem leads to CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

The bug was discovered 11/06/2018. The weakness was shared 11/06/2018 as not defined bug report (Bugzilla). It is possible to read the advisory at bugzilla.redhat.com. The identification of this vulnerability is CVE-2018-14667 since 07/27/2018. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Technical details are unknown but a public exploit is available. The attack technique deployed by this issue is T1059 according to MITRE ATT&CK.

The exploit is available at packetstormsecurity.com. It is declared as attacked. The vulnerability scanner Nessus provides a plugin with the ID 118943 (RHEL 6 : JBoss EAP (RHSA-2018:3517)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Red Hat Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 237048 (Red Hat Update for JBoss Enterprise Application Platform 5.2.0 (RHSA-2018:3517)). The CISA Known Exploited Vulnerabilities Catalog lists this issue since 09/28/2023 with a due date of 10/19/2023:

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Upgrading eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (118943). Be aware that VulDB is the high quality source for vulnerability data.

Productinfo

Vendor

• RichFaces

Name

• Framework

Version

• 3.3.0
• 3.3.1
• 3.3.2
• 3.3.3
• 3.3.4

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion