Description

PrimeFaces is a open source User Interface (UI) component library for JavaServer Faces (JSF) based applications. Giorgio Fedon of Minded Security has found two critical vulnerabilities in the PrimeFaces 5.x implementation.

By abusing one of these issues any user can execute arbitrary code on the application server without authentication.

  • PrimeSecret is the default hard-coded passphrase to encrypt several PrimeFaces parameters such as "pfdrid".
  • PrimeOracle is the abuse of a Padding Oracle attack against the internal crypto algorithm that decrypts several parameters such as "pfdrid".

Remediation

Please upgrade to the latest version of PrimeFaces or install the official fix. The official fix can be found in the Web references section.

References

PrimeFaces EL Injection fix

RCE in Oracle NetBeans Opensource Plugins

Padding Oracle attack

Related Vulnerabilities

GitLab ExifTool RCE (CVE-2021-22205)

phpMyAdmin v3.5.2.2 backdoor

Microsoft IIS 6.0 WebDAV Buffer Overflow

Oracle WebLogic Remote Code Execution via T3

WordPress Plugin Best Seo Remote Code Execution (1.5)

Severity

High

Classification

CVE-2017-1000486 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Tags

Default Credentials Eli Injection Weak Crypto Weak Credentials Code Execution