Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)

Related Vulnerabilities: CVE-2015-0279  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="20"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#21">By Date</a>
<a href="22"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="20"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#21">By Thread</a>
<a href="22"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: &lt;csirt () swisscom com&gt;


<em>Date</em>: Mon, 22 Jul 2019 13:15:55 +0000


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">####################################################################################
#
# SWISSCOM CSIRT ADVISORY
# <a rel="nofollow" href="https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html">https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html</a>
#
####################################################################################
#
# Product:  Secure Change
# Vendor:   Tufin
# Subject:  Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)
# CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (base score 10.0)
# Finder:   Raphael Arrouas (<a rel="nofollow" href="https://www.linkedin.com/in/raphaelarrouas/">https://www.linkedin.com/in/raphaelarrouas/</a>)
# Coord:    Stephane Grundschober (csirt _at_ swisscom.com)
# Date:     July 15 2019
# Advisory URL: 
<a rel="nofollow" href="https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/scbb-2986-tufin-secure-change.txt">https://www.swisscom.ch/content/dam/swisscom/de/about/nachhaltigkeit/digitale-schweiz/sicherheit/bug-bounty/files/scbb-2986-tufin-secure-change.txt</a>
# Vendor advisory: 
<a rel="nofollow" href="https://portal.tufin.com/articles/SecurityAdvisories/RichFaces-Expression-Language-Injection-27-5-2019">https://portal.tufin.com/articles/SecurityAdvisories/RichFaces-Expression-Language-Injection-27-5-2019</a>
# CVE:      No CVE requested by Tufin
#
####################################################################################


Description
-----------
An unauthenticated Remote Code Execution vulnerability exists in Tufin SecureChange, 
allowing an attacker to take control of the SecureChange server and potentially
affect all managed firewalls.

Affected Product
----------------
All TOS versions with SecureChange deployments are affected. 
SecureTrack deployments are not affected for any TOS version.

Vulnerability
-------------
The SecureChange application uses Richfaces in version 4.3.5, which is vulnerable 
to CVE-2015-0279, an unauthenticated RCE by expression language injection within 
a serialized Java object. A web page exposing the vulnerability is accessible
without authentication, allowing unauthenticated attacker to execute arbitrary 
Java code and compromise the server. 

Remediation
-----------
TOS R19-1: The vulnerability fix is included in R19-1 HF1.1, released on May 27.
TOS R18-3: The vulnerability fix is included in R18-3 HF3.1, released on May 27.
TOS R18-2 and TOS R18-1: please contact support at support () tufin com
Earlier versions of TOS: upgrade to R19-1 HF1.1 and above or R18-3 HF3.1 and above


Milestones
----------
2019-04-18   Discovery of the vulnerability, PoC and details communicated with Swisscom CSIRT
2019-04-21   Swisscom opens a support ticket at Tufin
2019-05-22   Tufin sends a security announcement to its customers
2019-05-27   Tufin releases Hotfixes correcting the issue
2019-05-29   Embargo agreed until 8th of July 2019
2019-07-15   Advisory published


Credits
-------
We would like to thank Raphaël Arrouas for his research
and responsible disclosure through Swisscom's Bug Bounty program
<a rel="nofollow" href="https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html">https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html</a>
as well as Tufin for the development of the hotfix.

</pre><p><strong>Attachment:
<a href="att-21/smime_p7s.bin"><tt>smime.p7s</tt></a></strong>

<em>Description:</em> S/MIME Cryptographic Signature</p>
<pre style="margin: 0em;">
_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="20"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#21">By Date</a>
<a href="22"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="20"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#21">By Thread</a>
<a href="22"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>Tufin SecureChange uses Richfaces 4.3.5, vulnerable to CVE-2015-0279 (unauthenticated RCE)</strong> <em>csirt (Jul 23)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started