CVE Number – CVE-2018-12533
A vulnerability in Red Hat JBoss RichFaces could allow an unauthenticated, remote attacker to inject arbitrary code on a targeted system.
The vulnerability exists because the affected software allows injection of arbitrary Expression Language (EL) expressions. An attacker could exploit this vulnerability by using the org.richfaces.renderkit.html.Paint2DResource$ImageData object (RF-14310) to pass malicious resource data to the targeted system. A successful exploit could allow the attacker to execute arbitrary Java code on the system.
Red Hat has confirmed the vulnerability and released software updates.
To exploit this vulnerability, the attacker must send malicious resource data to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.
Administrators are advised to monitor affected systems.
Red Hat has released updated software for registered subscribers via the Red Hat Subscription Management (RHSM) service. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.