Executive Summary

This vulnerability exists in the OmniFaces utility library for Faces, specifically in versions prior to 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3. It is a server-side Expression Language (EL) injection that can lead to Remote Code Execution (RCE). The issue arises when applications use the CDNResourceHandler with a wildcard CDN mapping, allowing an attacker to craft a resource request URL containing an EL expression in the resource name. This expression is then evaluated on the server side, enabling the attacker to execute arbitrary code remotely.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to remotely execute arbitrary code on the affected server. This can lead to unauthorized access, data theft, data manipulation, service disruption, or complete takeover of the server hosting the vulnerable application.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OmniFaces to one of the patched versions: 1.14.2, 2.7.32, 3.14.16, 4.7.5, or 5.2.3.

Additionally, avoid using CDNResourceHandler with wildcard CDN mappings (e.g., libraryName:*=https://cdn.example.com/*) until the upgrade is applied, as this configuration is vulnerable to server-side EL injection leading to remote code execution.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows server-side EL injection leading to Remote Code Execution (RCE), which can result in unauthorized access to sensitive data or system control.

Such unauthorized access or data breaches could potentially lead to non-compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information.

However, the provided information does not explicitly mention the impact on compliance with these standards.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for resource request URLs that contain suspicious Expression Language (EL) expressions in the resource name, especially if your application uses CDNResourceHandler with wildcard CDN mappings (e.g., libraryName:*=https://cdn.example.com/*).

You can look for HTTP requests with resource names containing EL syntax patterns such as ${...} or #{...} which may indicate attempts to exploit the vulnerability.

Example commands to detect such attempts in web server logs or network traffic include:

• Using grep to find EL expressions in logs: grep -E '\$\{.*\}|#\{.*\}' access.log
• Using tcpdump to capture HTTP requests and filter for EL patterns (requires further processing): tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E '\$\{.*\}|#\{.*\}'
• Using web application firewall (WAF) rules to detect and block requests containing EL expressions in resource names.

Additionally, verifying the OmniFaces version in use and checking for wildcard CDN mappings in your configuration can help identify if your system is vulnerable.

Useful 0 Not Useful 0