The Cybersecurity and Infrastructure Security Agency (CISA), the main cybersecurity agency in the U.S., has issued a warning about a legacy vulnerability in JBoss RichFaces that is currently being exploited in attacks. This vulnerability, known as CVE-2018-14667, was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on Thursday. Federal agencies have been directed to implement mitigations or cease using the affected product by October 19.
JBoss RichFaces is a project by Red Hat JBoss that offers an advanced UI component framework for integrating Ajax capabilities into business applications using JavaServer Faces (JSF). However, the project was officially discontinued in June 2016.
The CVE-2018-14667 vulnerability was first identified in 2018. At that time, Red Hat acknowledged that several of its products were affected and released patches to address the issue. This vulnerability is considered 'critical' and is characterized as an expression language injection issue that allows a remote, unauthenticated attacker to run arbitrary code.
While there have been proof-of-concept (PoC) exploits and tools designed to exploit this flaw for several years, there have been no public reports indicating actual exploitation in the wild. However, it's worth noting that CISA only includes vulnerabilities in its KEV catalog when there is reliable evidence of exploitation.
As of now, no details have been disclosed about the attacks that exploited CVE-2018-14667. Therefore, it remains unclear if CISA is aware of ongoing exploitation or if it has recently discovered evidence of past attacks.