JBoss RichFaces vulnerable to remote code execution


JBoss RichFaces contains a remote code execution vulnerability due to an issue with deserialization.

JBoss RichFaces is a framework for integrating Ajax into web applications. JBoss RichFaces applications contain a deserialization interface where end users may provide input. This interface may deserialize untrusted data, which may lead to arbitrary code execution.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products

RichFaces applications that are created using the following JBoss RichFaces's versions are affected:

Red Hat, Inc.
  • JBoss Enterprise Web Platform through 5.2.0
  • JBoss Operations Network 3.x through 3.1.2
  • JBoss Operations Network through 2.4.2
  • JBoss RichFaces 3.x
  • JBoss RichFaces 4.x
  • JBoss RichFaces 5.x
  • JBoss Web Framework Kit before 2.3.0
  • Red Hat JBoss BRMS through 5.3.1
  • Red Hat JBoss Enterprise Application Platform 5.x through 5.2.0
  • Red Hat JBoss Enterprise Application Platform through 4.3.0 CP10
  • Red Hat JBoss Portal Platform 5.x through 5.2.2
  • Red Hat JBoss Portal Platform through 4.3 CP07
  • Red Hat JBoss SOA Platform 5.x through 5.3.1
  • Red Hat JBoss SOA Platform through 4.3.0 CP05


When specially crafted input is processed, arbitrary files may be written or arbitrary code may be executed on the application server.

[Apply a patch]
Apply the appropriate patch according to the information provided by the developer.
Vendor Information

Red Hat, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2013-2165

  1. JVN : JVN#38787103
  2. National Vulnerability Database (NVD) : CVE-2013-2165
  3. IPA SECURITY ALERTS : Security Updates Available for JBoss RichFaces (JVN#38787103) (in Japanese)
Revision History

  Web page was published
  Affected Products : Products were added
  References : Content was added