CVE-2017-1000486
Published: 03 January 2018
Summary
CVE-2017-1000486 is a critical-severity Inadequate Encryption Strength (CWE-326) vulnerability in Primetek Primefaces. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Primetek Primefaces 5.x is affected by a weak encryption flaw that results in remote code execution. The issue is identified as CVE-2017-1000486, carries a CVSS v3.1 score of 9.8, and is categorized under CWE-326 for inadequate encryption strength.
The flaw can be exploited by unauthenticated remote attackers over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary code execution that impacts confidentiality, integrity, and availability on the target system.
Public references document the weakness through technical write-ups and include a functional exploit on Exploit-DB along with discussion in the PrimeFaces GitHub issue tracker.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-1339
Vulnerability details
Primetek Primefaces 5.x is vulnerable to a weak encryption flaw resulting in remote code execution
- CWE(s)
- KEV Date Added
- 10 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic protection mechanisms with adequate strength, eliminating the weak encryption (CWE-326) that enables unauthenticated RCE.
Mandates timely remediation of known flaws such as CVE-2017-1000486 in PrimeFaces, removing the vulnerable weak-encryption code path before exploitation.
Enforces cryptographic protection of information in transit, which would have prevented tampering of encrypted ViewState or similar data structures used in the exploit.