(Red Hat Issues Fix) Red Hat JBoss EAP RichFaces Access Control Bug Lets Remote Users Execute Arbitrary Code on the Target System
|
|
SecurityTracker Alert ID: 1042042 |
|
SecurityTracker URL: https://securitytracker.com/id/1042042
|
|
CVE Reference:
CVE-2018-14667
(Links to External Site)
|
Date: Nov 7 2018
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in Red Hat JBoss. A remote user can execute arbitrary code on the target system.
A remote user can send a specially crafted UserResource RichFaces expression language that contains a tainted java serialized object org.ajax4jsf.resource.UserResource$UriData expression that will trigger deserialization after clearing white list protections. As a result, arbitrary code may be executed on the target system.
Joao Filho Matos Figueiredo reported this vulnerability.
|
Impact:
A remote user can execute arbitrary code on the target system.
|
Solution:
Red Hat has issued a fix for SOA Platform 5.3.1.
The Red Hat advisory is available at:
https://access.redhat.com/errata/RHSA-2018:3519
|
Vendor URL: access.redhat.com/errata/RHSA-2018:3519 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Red Hat Enterprise)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Subject: [RHSA-2018:3519-01] Critical: Red Hat JBoss SOA Platform security update
|
[Original Message Not Available for Viewing]
|
|
