CVE-2018-14667
Published: 06 November 2018
Summary
CVE-2018-14667 is a critical-severity Code Injection (CWE-94) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The RichFaces Framework versions 3.x through 3.3.4 contain an Expression Language injection vulnerability in the UserResource component. The flaw resides in org.ajax4jsf.resource.UserResource$UriData and is tracked as CWE-94, allowing code injection through improper handling of serialized data. It received a CVSS 3.1 score of 9.8, reflecting network-accessible attack conditions with no required authentication or user interaction.
A remote unauthenticated attacker can supply a crafted chain of Java serialized objects to the UserResource endpoint, resulting in arbitrary code execution on the server. The attack requires only the ability to reach the affected RichFaces application and does not depend on any authenticated session or special privileges.
Red Hat has published errata RHSA-2018:3517 and RHSA-2018:3518 that address the issue in supported products. Public references also describe the Richsploit exploitation toolkit and related disclosure activity from 2020, indicating that working proof-of-concept code has been made available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-4307
Vulnerability details
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
- CWE(s)
- KEV Date Added
- 28 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the crafted serialized object chain supplied to the UserResource endpoint before EL evaluation occurs.
Requires prompt application of the Red Hat errata that remove the vulnerable UserResource$UriData deserialization path.
Enforces access-control policy on the unauthenticated UserResource endpoint so that only explicitly permitted requests reach the injection point.