Mitigating RichFaces 4.5.17.Final EOL Vulnerabilities

Mitigating RichFaces 4.5.17.Final EOL Vulnerabilities

If you are using RichFaces, you should be aware that Code White has discovered some remote code execution vulnerabilities in the component library. Unfortunately, since RichFaces has reached end-of-life status, these vulnerabilities will not be fixed. Thankfully there two easy options to mitigate these vulnerabilities:

  1. Migrate to Alberto Fernandez’s fork of RichFaces.

    Alberto has fixed the known security vulnerabilities and other issues with RichFaces, so you should be able to upgrade to his latest release with little trouble:

    <dependency>
        <groupId>com.github.albfernandez.richfaces</groupId>
        <artifactId>richfaces</artifactId>
        <version>4.6.5.ayg</version>
    </dependency>
  2. Disable resource serialization.

    RichFaces has a whitelist of classes that it will deserialize. By setting the whitelist to empty you can avoid this remote code execution vulnerability. Just add the following content to a file named src/main/resources/org/richfaces/resource/resource-serialization.properties in your Maven or Gradle project:

    # Disable resource serialization to disallow remote code execution:
    # CVE-2013-2165, RF-14310, CVE-2015-0279, RF-13977, and RF-14309.
    # See https://codewhitesec.blogspot.com/2018/05/poor-richfaces.html for more details.
    whitelist=

The Liferay Faces team has used the second mitigation method to protect our RichFaces demos and archetypes. We have released new versions of our RichFaces archetypes with the mitigation included. Please see the release notes for more details.