Richfaces is an open source project, an advanced user interface component framework which is used to easily integrate Ajax capabilities into JavaServer application.It is designed and developed by JBoss.

Based on past vulnerabilities CVE-2013-2165 and CVE-2015-0279 have been found that allow RCE in versions 3.x ≤ 3.3.3 and 4.x ≤ 4.5.3. Code White discovered two new vulnerabilities which bypass the implemented mitigations. Thereby, all RichFaces versions including the latest 3.3.4 and 4.5.17 are vulnerable to RCE.

RichFaces has three different version branches: 3.x, 4.x, and 5.x. However, as 5.x has never considered as a state, it is rather irrelevant. In early 2016, the developers of RichFaces announced the end-of-life of RichFaces in June 2016. The latest releases of the respective branches are 3.3.4 and 4.5.17.


Arbitrary Java Deserialization in RichFaces 3.x ≤ 3.3.3 and 4.x ≤ 4.3.2

Deserialization of arbitrary Java serialized object streams in org.ajax4jsf.resource.ResourceBuilderImpl allows remote code execution.


Arbitrary EL Evaluation in RichFaces 4.x ≤ 4.5.3

Injection of arbitrary EL method expressions in org.richfaces.resource.MediaOutputResource allows remote code execution.

These both bugs have depended on some resources such as images, video, sounds, and other resources on the fly based on data provided in the request. The requested data either plain array of bytes or as a Java serialized object stream.


Please enter your comment!
Please enter your name here