US cybersecurity agency CISA is warning organizations that an old vulnerability affecting JBoss RichFaces has been exploited in attacks.
The flaw, tracked as CVE-2018-14667, was added by CISA on Thursday to its Known Exploited Vulnerabilities (KEV) Catalog, with federal agencies being instructed to apply mitigations or discontinue the use of the product by October 19.
RichFaces is a Red Hat JBoss project that provides an advanced UI component framework for easily integrating Ajax capabilities into business applications using JSF. The project officially reached end-of-life in June 2016.
CVE-2018-14667 was discovered in 2018, when Red Hat confirmed that several of its products were impacted and released patches.
The vulnerability, rated ‘critical’, has been described as an expression language injection issue that allows a remote, unauthenticated attacker to execute arbitrary code.
While proof-of-concept (PoC) exploits and tools designed to exploit the flaw have been around for years, there do not appear to be any public reports describing actual exploitation in the wild. However, CISA only adds vulnerabilities to its KEV catalog if it has reliable evidence of exploitation.
Since no information has been shared on the attacks exploiting CVE-2018-14667, it’s unclear if CISA is aware of active exploitation or if it recently became aware of old attacks.