The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-14667 from the MITRE CVE dictionary dictionary and NIST NVD.
| CVSS3 Base Score | 9.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (richfaces) | RHSA-2018:3517 | 2018-11-06 |
| Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (richfaces) | RHSA-2018:3517 | 2018-11-06 |
| Red Hat JBoss EAP 5 | RHSA-2018:3518 | 2018-11-06 |
| Red Hat JBoss SOA Platform 5.3 | RHSA-2018:3519 | 2018-11-07 |
| JBoss Enterprise BRMS Platform 5.3 | RHSA-2018:3581 | 2018-11-13 |
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss Operations Network 3 | RichFaces | Not affected |
Vulmon