JVNDB-2015-001959

[Japanese]
JVNDB-2015-001959
JBoss RichFaces vulnerable to remote Java code execution
Overview
JBoss RichFaces contains a remote Java code execution vulnerability. JBoss RichFaces is an Ajax-enabled component library for JavaServer Faces (JSF). JBoss RichFaces contains a flaw in parsing the do parameter, which may result in arbitrary Java code execution. Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 7.5 (High) [IPA Score] Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

Red Hat, Inc. JBoss RichFaces versions prior to 4.5.4

Impact
When a specially crafted input is processed, arbitrary Java code may be executed on the application server.
Solution
[Update the Software] Update to the latest version according to the information provided by the developer.
Vendor Information
Red Hat, Inc. GitHub : RF-13977: prevent EL expression from executing methods JBoss Community : RichFaces RichFaces 4.5.4.Final Release Announcement JBoss Community : Stable Downloads JBoss Issue Tracker : RF-13977: Remote Command Injection (EL Injection) Red Hat Security Advisory : Important: Red Hat JBoss Web Framework Kit 2.7.0 security update
CWE (What is CWE?)
Code Injection(CWE-94) [IPA Evaluation]
CVE (What is CVE?)
CVE-2015-0279
References
JVN : JVN#56297719 National Vulnerability Database (NVD) : CVE-2015-0279 IPA SECURITY ALERTS : Security Alert for Vulnerability in JBoss RichFaces (JVN#56297719) (in Japanese)
Revision History
[2015/04/14] Web page was published


Date Public	2015/03/24
Date First Published	2015/04/14
Date Last Updated	2015/04/14

JBoss RichFaces vulnerable to remote Java code execution