RichFaces Framework 3.X Expression Language (EL) Injection (CVE-2018-14667)

Recently, a new vulnerability in the RichFaces framework was discovered and was assigned with CVE-2018-14667.

RichFaces is one of the libraries that implement the JavaServer faces (JSF) specification which is the Java standard for building server-side user interfaces. RichFaces provides large amount of advanced Ajax based UI components.

In this case the vulnerable feature of RichFaces is the one that allows it to dynamically generate resources such as images or videos based on data received from the user. Each one of those resources are assigned with a unique identifier that is sent to the server via the requested URL alongside with a Java serialized object that is deserialized by the server and supplies it with the metadata required for generating and rendering the resource. The serialized Java object that is passed to the server is compressed and encoded using the URL safe base64 encoding.

Figure 1: RichFaces dynamically generated JPEG file.

Figure 2: Example of decompressing and decoding the data sent to the server

In past cases it was found that those Java serialized objects helping RichFaces to serve resources could be replaced with malicious ones that may allow attackers to execute arbitrary code on the server running RichFaces, and this case is of no difference. João Matos the researcher who discovered the vulnerability found that another class of resources named “UserResource” by RichFaces receives serialized Java objects as input and therefor prone to similar vulnerability.

Mitigating the vulnerability using iRulesLX

BIG-IP customers are encouraged to deploy the attached iRule in order to mitigate this vulnerability. The usage of a dedicated iRule is required as the payload exploiting the vulnerability is both encoded and compressed.

/Portals/0/Images/userfiles/306666/CVE-2018-14667.zip

Additional Reading

https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html