CVE-2018-14667 - RichFaces remote code execution

Solution In Progress - Updated -

Environment

The following Red Hat products are impacted:

  • Enterprise Application Platform 5.2
  • Red Hat JBoss BRMS 5.3.1
  • Red Hat JBoss SOA Platform 5.3.1
  • Red Hat Developer Studio 12.9

Issue

Red Hat Product Security has been made aware of a remote code execution flaw in the Java RichFaces framework. The issue has been assigned CVE-2018-14667 and a Critical security impact.

An application that uses certain features in RichFaces could permit an unauthenticated user to send a specially-crafted object that contains a tainted expression, the evaluation of which triggers deserialization after clearing any whitelist protections. This can result in execution of arbitrary java code or possibly system code.

Resolution

Red Hat Product Engineering is actively developing patches all affected Red Hat products. Additional details on the vulnerability and all advisories related to this issue can review CVE-2018-14667 . Customers running affected versions of Red Hat products are strongly recommended to update as soon as errata are available, and to apply the updates immediately.

To mitigate this vulnerability, customers are advised to disable Expression Language evaluation in RichFaces; or, if this is not feasible, to add sanitization of any Expression Language received from untrusted sources. Expression Language whitelisting could be added after ResourceBuilderImpl class in its getResourceDataForKey method invokes LookAheadObjectInputStream (which deserializes data based on whitelisted classes).

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments