JBoss RichFaces vulnerable to remote code execution


JBoss RichFaces contains a remote code execution vulnerability due to an issue with deserialization.

JBoss RichFaces is a framework for integrating Ajax into web applications. JBoss RichFaces applications contain a deserialization interface where end users may provide input. This interface may deserialize untrusted data, which may lead to arbitrary code execution.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

RichFaces applications that are created using the following JBoss RichFaces's versions are affected:

Red Hat, Inc.
  • JBoss Enterprise Application Platform 5.x through 5.2.0
  • JBoss Enterprise Application Platform through 4.3.0 CP10
  • JBoss Enterprise Web Platform through 5.2.0
  • JBoss RichFaces 3.x
  • JBoss RichFaces 4.x
  • JBoss RichFaces 5.x
  • JBoss Web Framework Kit before 2.3.0
  • Red Hat JBoss BRMS through 5.3.1
  • Red Hat JBoss Operations Network 3.x through 3.1.2
  • Red Hat JBoss Operations Network through 2.4.2
  • Red Hat JBoss Portal 5.x through 5.2.2
  • Red Hat JBoss Portal through 4.3 CP07
  • Red Hat JBoss SOA Platform 5.x through 5.3.1
  • Red Hat JBoss SOA Platform through 4.3.0 CP05


When specially crafted input is processed, arbitrary files may be written or arbitrary code may be executed on the application server.

[Apply a patch]
Apply the appropriate patch according to the information provided by the developer.
Vendor Information

Red Hat, Inc.
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2013-2165

  1. JVN : JVN#38787103
  2. National Vulnerability Database (NVD) : CVE-2013-2165
  3. IPA SECURITY ALERTS : Security Updates Available for JBoss RichFaces (JVN#38787103) (in Japanese)
Revision History

  • [2013/07/19]
      Web page was published
      Affected Products : Products were added
      References : Content was added