PT-2014-3472 · Red Hat · Jboss Richfaces
Published
2014-03-28
·
Updated
2022-05-17
·
CVE-2014-0086
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:N/A:P |
Name of the Vulnerable Software and Affected Versions
JBoss RichFaces versions 4.3.4 through 4.3.5
JBoss RichFaces version 5.x
Description
The issue allows remote attackers to cause a denial of service, resulting in memory consumption and out-of-memory errors. This is achieved by sending a large number of malformed atmosphere push requests. The
doFilter function in webapp/PushHandlerFilter.java is the vulnerable component.Recommendations
For JBoss RichFaces versions 4.3.4 through 4.3.5, consider restricting access to the
PushHandlerFilter to minimize the risk of exploitation.
For JBoss RichFaces version 5.x, consider disabling the doFilter function in webapp/PushHandlerFilter.java until a patch is available.
As a temporary workaround, restrict the number of atmosphere push requests to prevent memory consumption and out-of-memory errors.Exploit
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jboss Richfaces