CVE-2014-0086

Name of the Vulnerable Software and Affected Versions JBoss RichFaces versions 4.3.4 through 4.3.5 JBoss RichFaces version 5.x

Description The issue allows remote attackers to cause a denial of service, resulting in memory consumption and out-of-memory errors. This is achieved by sending a large number of malformed atmosphere push requests. The doFilter function in webapp/PushHandlerFilter.java is the vulnerable component.

Recommendations For JBoss RichFaces versions 4.3.4 through 4.3.5, consider restricting access to the PushHandlerFilter to minimize the risk of exploitation. For JBoss RichFaces version 5.x, consider disabling the doFilter function in webapp/PushHandlerFilter.java until a patch is available. As a temporary workaround, restrict the number of atmosphere push requests to prevent memory consumption and out-of-memory errors.