Cyber Resilience

CVE-2018-14667

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 06 November 2018

Published
06 November 2018
Modified
03 November 2025
KEV Added
28 September 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8946 99.6th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-14667 is a critical-severity Code Injection (CWE-94) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The RichFaces Framework versions 3.x through 3.3.4 contain an Expression Language injection vulnerability in the UserResource component. The flaw resides in org.ajax4jsf.resource.UserResource$UriData and is tracked as CWE-94, allowing code injection through improper handling of serialized data. It received a CVSS 3.1 score of 9.8, reflecting network-accessible attack conditions with no required authentication or user interaction.

A remote unauthenticated attacker can supply a crafted chain of Java serialized objects to the UserResource endpoint, resulting in arbitrary code execution on the server. The attack requires only the ability to reach the affected RichFaces application and does not depend on any authenticated session or special privileges.

Red Hat has published errata RHSA-2018:3517 and RHSA-2018:3518 that address the issue in supported products. Public references also describe the Richsploit exploitation toolkit and related disclosure activity from 2020, indicating that working proof-of-concept code has been made available.

EU & UK References

Vulnerability details

The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

CWE(s)
KEV Date Added
28 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redhat
richfaces
3.1.0 — 3.3.4
redhat
enterprise linux
5.0, 6.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the crafted serialized object chain supplied to the UserResource endpoint before EL evaluation occurs.

prevent

Requires prompt application of the Red Hat errata that remove the vulnerable UserResource$UriData deserialization path.

prevent

Enforces access-control policy on the unauthenticated UserResource endpoint so that only explicitly permitted requests reach the injection point.

References