CVE-2018-14667 - Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability

Vulnerability Name

Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability

Description

Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667

https://nvd.nist.gov/vuln/detail/CVE-2018-14667