SB2018101802 - Remote code execution in Red Hat JBoss RichFaces

Description

This security bulletin contains information about 1 security vulnerability.

1) Code injection (CVE-ID: CVE-2018-12533)

The vulnerability allows a remote attacker to inject arbitrary code on the target system.

The vulnerability exists in Red Hat JBoss RichFaces due to the affected software allows injection of arbitrary Expression Language (EL) expressions. A remote unauthenticated attacker can use the org.richfaces.renderkit.html.Paint2DResource$ImageData object (RF-14310) to pass malicious resource data and execute arbitrary Java code.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/security/cve/cve-2018-12533
• https://access.redhat.com/errata/RHSA-2018:2663
• https://access.redhat.com/errata/RHSA-2018:2664
• https://access.redhat.com/errata/RHSA-2018:2930