Red Hat JBoss RichFaces Framework is vulnerable to an expression language injection vulnerability tracked as CVE-2018-14667. The vulnerability may allow an attacker to perform code execution using a chain of Java serialized objects.
The vulnerability has been given a critical severity rating with a CVSS score of 9.8. CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 19, 2023.
The JBoss Enterprise Application Platform is a subscription-based/open-source Java EE-based application server runtime platform. The platform builds, deploys, and hosts highly transactional Java applications and services.
According to OWASP, the vulnerability arises when attacker-controlled data enters an EL interpreter. The software constructs all or part of an expression language (EL) statement in a Java Server Page (JSP) using externally influenced input from an upstream component.
An unauthenticated, remote attacker may exploit this vulnerability via UserResource to perform remote code execution.
Affected Versions
- JBoss Enterprise Application Platform 5 for RHEL 6 x86_64
- JBoss Enterprise Application Platform 5 for RHEL 6 i386
- JBoss Enterprise Application Platform 5 for RHEL 5 x86_64
- JBoss Enterprise Application Platform 5 for RHEL 5 i386
Mitigation
Customers are advised to update the package to patch the vulnerability.
Please refer to the Red Hat security advisory for more information.
Qualys Detection
Qualys customers can scan their devices with QIDs 237048 and 990176 to detect vulnerable assets.
The QID 990176 will be available to customers who subscribe to the SCA (Software Composition Analysis) product. SCA is currently available for Container Security.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.