Red Hat JBoss RichFaces Expression Language Injection Arbitrary Code Execution Vulnerability [CVE-2018-14667]
A vulnerability in Red Hat JBoss RichFaces could allow an unauthenticated, remote attacker to inject arbitrary code on a targeted system.The vulnerability exists because the affected software allows injection of arbitrary Expression Language (EL) expressions. An attacker could exploit this vulnerability by using the org.ajax4jsf.resource.UserResource$UriData object to pass malicious resource data to the targeted system. A successful exploit could allow the attacker to execute arbitrary Java code on the system.Red Hat has confirmed the vulnerability and released software updates.
Analysis
- To exploit this vulnerability, the attacker must send malicious resource data to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.
Safeguards
- Administrators are advised to apply the appropriate updates. Administrators are advised to allow only trusted users to have network access. Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems. Administrators are advised to monitor affected systems.
Vendor Announcements
- Red Hat has released an official CVE statement and security advisories for bug 1639139 at the following links: CVE-2018-14667, RHSA-2018:3517, RHSA-2018:3518, and RHSA-2018:3519
Fixed Software
- Red Hat has released updated software for registered subscribers via the Red Hat Subscription Management (RHSM) service. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.