Bug 1584492 – CVE-2018-12532 RichFaces: Injection of arbitrary EL variable mapper allows to bypass mitigation of CVE-2015-0279 and thereby remote code execution

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1584492 - (CVE-2018-12532) CVE-2018-12532 RichFaces: Injection of arbitrary EL variable mapper allows to bypass mitigation of CVE-2015-0279 and thereby remote code execution

Summary:	CVE-2018-12532 RichFaces: Injection of arbitrary EL variable mapper allows to...

Status:	NEW

Aliases:	CVE-2018-12532

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	urgent Severity urgent
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=critical,public=20180530,repor...
Keywords:	Security

Depends On:
Blocks:	1584491
	Show dependency tree / graph

Reported:	2018-05-31 00:15 EDT by Sam Fowler
Modified:	2018-10-31 17:35 EDT (History)
CC List:	54 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-05-31 00:15:45 EDT

RichFaces version 4.5.3 ≤ 4.5.17 is vulnerable to injection of arbitrary EL variable mappers, allowing mitigation bypass of CVE-2015-0279 and thereby remote code execution.


External Reference:

https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html

Comment 1 Sam Fowler 2018-05-31 00:29:33 EDT

Upstream issue:

https://issues.jboss.org/browse/RF-14309

Comment 5 Chess Hazlett 2018-05-31 13:14:32 EDT

Statement:

This issue does not affect the following Red Hat products, as they do not include the vulnerable version of the RichFaces component:
Red Hat JBoss EAP 5.2
Red Hat JBoss Data Virtualization 6.4
Red Hat JBoss BRMS 5.3
Red Hat JBoss Operations Network 3.3

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
anstephe
apintea
bmaxwell
cdewolf
chazlett
csutherl
darran.lofthouse
dimitris
dosoudil
drieden
etirelli
fgavrilo
gvarsami
ibek
jawilson
jboss-set
jcoleman
jolee
jondruse
jschatte
jstastny
kconner
krathod
kverlaen
ldimaggi
lgao
loleary
lpetrovi
myarboro
nwallace
paradhya
pgier
pjurak
ppalaga
psakar
pslavice
pszubiak
rnetuka
rrajasek
rstancel
rsvoboda
rsynek
rwagner
rzhang
sdaley
spinder
tcunning
theute
tkirby
twalsh
vhalbert
vtunka