Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] Exploited Red Hat JBoss Vulnerability

Executive Summary

CISA has added a new vulnerability, CVE-2018-14667, to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation.

The vulnerability is related to the Red Hat JBoss RichFaces Framework and has a CVSS Score of 9.8. Organizations using impacted platforms are urged to update as the vulnerability has been observed to be exploited.

Vulnerability and Fixes

The CVE-2018-14667 vulnerability in the Red Hat JBoss RichFaces Framework allows for expression language injection via the UserResource resource.

A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects.

Vulnerability Information in the Known Exploited Vulnerabilities Catalog:

Description: Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.

Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Due Date: 2023-10-19

Based on RedHat security advisory, here is the list of S/W impacted along with the fixes:

Further information can be found in the RedHat security advisory.

⚠️ The vulnerability has been detected in 2018 and Red Hat has provided patches and mitigation instructions for the affected software. Organizations using impacted platforms are urged to follow the instructions in the Red Hat security advisory!

CISA’s Known Exploited Vulnerabilities Catalog

CISA’s Known Exploited Vulnerabilities Catalog is a living list of known Common Vulnerabilities and Exposures (CVEs) that pose significant risks to the federal enterprise.

It was established through Binding Operational Directive (BOD) 22-01, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities to protect their networks against active threats.

While the directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation of catalog vulnerabilities as part of their vulnerability management practice.

The catalog is continuously updated with new vulnerabilities that meet the specified criteria.

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.