JVN#38787103
JBoss RichFaces vulnerable to remote code execution
Overview
JBoss RichFaces contains a remote code execution vulnerability due to an issue with deserialization.
Products Affected
RichFaces applications that are created using the following versions are affected:
- RichFaces 5.x
- RichFaces 4.x
- RichFaces 3.x
Description
JBoss RichFaces is a framework for integrating Ajax into web applications. JBoss RichFaces applications contain a deserialization interface where end users may provide input. This interface may deserialize untrusted data, which may lead to arbitrary code execution.
Impact
When specially crafted input is processed, arbitrary files may be written or arbitrary code may be executed on the application server.
Solution
Apply a patch
Apply the appropriate patch according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2013-2165 |
| JVN iPedia |
JVNDB-2013-000072 |