CVE-2018-14667
Published: September 28, 2023
Official Description
Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
CISA KEV Advisory
Red Hat JBoss RichFaces Framework Expression Language Injection Vulnerability
Red Hat JBoss RichFaces Framework contains an expression language injection vulnerability via the UserResource resource. A remote, unauthenticated attacker could exploit this vulnerability to execute malicious code using a chain of Java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Risk Analysis
This vulnerability in Red Hat JBoss RichFaces Framework is an expression language injection flaw via the UserResource resource, allowing a remote, unauthenticated attacker to execute malicious code. Its high EPSS score of 0.89374 and inclusion in CISA's KEV confirm active exploitation, making it a critical remote code execution risk.
Active exploitation of this vulnerability has been observed in the wild and it is listed in CISA's KEV, indicating confirmed real-world attacks. The flaw is remotely exploitable and does not require authentication.
Organizations using Red Hat JBoss RichFaces Framework should update to a patched version immediately. Review and harden configurations to prevent expression language injection attacks.
Technical Analysis
CVE-2018-14667 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CISA has added CVE-2018-14667 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
Affected Vendors & Products
Exploit & PoC Resources
All References (2)
Quick Facts
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2018-14667 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1