[CDP-development] FW: CVE-2023-14667 - Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability

ALBIN Cinnamon S * DAS cinnamon.s.albin at das.oregon.gov
Thu Sep 28 12:58:48 PDT 2023 

Good afternoon,

The SOC Services team is reporting on the vulnerability: CVE-2023-14667: Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On November 6, 2018, Red Hat released a security advisory warning about a RichFaces Framework Expression Language injection via UserResource vulnerability; At that time the CVE was registered as CVE-2018-14667. A remote unauthenticated attacker could exploit this vulnerability to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData. On September 28, 2023 CISA added the updated CVE-2023-14667 to the Known Exploited Vulnerability Catalog.

The following products are affected:

  *   JBoss Enterprise Application Platform 5 for RHEL 6 x86_64
  *   JBoss Enterprise Application Platform 5 for RHEL 6 i386
  *   JBoss Enterprise Application Platform 5 for RHEL 5 x86_64
  *   JBoss Enterprise Application Platform 5 for RHEL 5 i386

Fixes in order of release:

  *   BZ - 1639139<https://bugzilla.redhat.com/show_bug.cgi?id=1639139> - CVE-2018-14667 RichFaces: Expression Language injection via UserResource allows for unauthenticated remote code execution
  *   BZ - 1640767<https://bugzilla.redhat.com/show_bug.cgi?id=1640767> - Tracker bug for the EAP 5.2.0 release for RHEL-5.
  *   BZ - 1639139<https://bugzilla.redhat.com/show_bug.cgi?id=1639139> - CVE-2018-14667 RichFaces: Expression Language injection via UserResource allows for unauthenticated remote code execution
  *   BZ - 1640782<https://bugzilla.redhat.com/show_bug.cgi?id=1640782> - Tracker bug for the EAP 5.2.0 release for RHEL-6.
  *   BZ - 1639139<https://bugzilla.redhat.com/show_bug.cgi?id=1639139> - CVE-2018-14667 RichFaces: Expression Language injection via UserResource allows for unauthenticated remote code execution
  *
Red Hat has released advisories related to CVE-2023-14667 (Previously CVE-2018-14667) which can be found below:

  *   https://access.redhat.com/errata/RHSA-2018:3517
  *   https://access.redhat.com/errata/RHSA-2018:3518
  *   https://access.redhat.com/errata/RHSA-2018:3519
  *   https://access.redhat.com/errata/RHSA-2018:3581

Intelligence:  As of September 28, 2023, the vulnerability has been confirmed as being exploited in the wild.

Workarounds: To mitigate this vulnerability, customers are advised to disable Expression Language evaluation in RichFaces; or, if this is not feasible, to add sanitization of any Expression Language received from untrusted sources. Expression Language whitelisting could be added after ResourceBuilderImpl class in its getResourceDataForKey method invokes LookAheadObjectInputStream

How it works: The vulnerability is executed to allow unauthenticated users to perform remote code execution on any web application using RichFaces 3.X. A payload is generated then sent to the server to get remote code execution once the code has been remotely executed the attacker would have access to the web application.

Post-Exploit: Upon successful exploitation of the vulnerability, a threat actor could execute arbitrary java code or possibly system code.

As of November 14, 2018, the following vulnerability plugin has been released and is currently in Tenable Security Center:
Plugin
Title
Severity
118943<https://www.tenable.com/plugins/nessus/118943>
RHEL 6 : JBoss EAP (RHSA-2018:3517)
Critical

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20230928/33e7cc77/attachment-0001.html>

More information about the CDP-development mailing list