Description

PrimeFaces is a open source User Interface (UI) component library for JavaServer Faces (JSF) based applications. Giorgio Fedon of Minded Security has found two critical vulnerabilities in the PrimeFaces 5.x implementation.

By abusing one of these issues any user can execute arbitrary code on the application server without authentication.

  • PrimeSecret is the default hard-coded passphrase to encrypt several PrimeFaces parameters such as "pfdrid".
  • PrimeOracle is the abuse of a Padding Oracle attack against the internal crypto algorithm that decrypts several parameters such as "pfdrid".

Remediation

Please upgrade to the latest version of PrimeFaces or install the official fix. The official fix can be found in the Web references section.

References

PrimeFaces EL Injection fix

RCE in Oracle NetBeans Opensource Plugins

Padding Oracle attack

Related Vulnerabilities

Apache APISIX default token (CVE-2020-13945/CVE-2022-24112)

WordPress Plugin Easy Forms for Mailchimp PHP Code Injection (6.5.2)

Fortinet Authentication bypass on administrative interface

Unauthenticated Remote Code Execution via JSONWS in Liferay 6.1 (LPS-88051)

WordPress Plugin ProfileGrid-User Profiles, Groups and Communities Remote Code Execution (2.8.5)

Severity

High

Classification

CVE-2017-1000486 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Tags

Default Credentials Eli Injection Weak Crypto Weak Credentials Code Execution