Arbitrary EL Evaluation in RichFaces - Vulnerability Database

Arbitrary EL Evaluation in RichFaces

Description

RichFaces is one of the most popular component libraries for JavaServer Faces (JSF). In early 2016, the developers of RichFaces announced the end-of-life of RichFaces in June 2016.

The latest released versions of RichFaces (3.3.4 and 4.5.17) are affected by the following vulnerabilities:

RF-14310: Arbitrary EL Evaluation in RichFaces 3.x <= 3.3.4
Injection of arbitrary EL expressions allows remote code execution via org.richfaces.renderkit.html.Paint2DResource.

RF-14309: Arbitrary EL Evaluation in RichFaces 4.5.3 <= 4.5.17
Injection of arbitrary EL variable mapper allows to bypass mitigation of CVE-2015-0279 and thereby remote code execution.

Remediation

Mitigate these vulnerabilities by blocking requests to the affected URLs: <br/> Blocking requests of URLs with paths containing /DATA/ should mitigate CVE-2013-2165 and RF-14310. <br/> Blocking requests of URLs with paths containing org.richfaces.resource.MediaOutputResource (literally or URL encoded) should mitigate CVE-2015-0279 and RF-14309.

References

RichFaces End-Of-Life Questions & Answers

Poor RichFaces

Related Vulnerabilities

Severity

High

Classification

CVE-2013-2165

CVE-2015-0279

CWE-917

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N