Friday, April 11, 2014
RichFaces Security Advisory CVE-2014-0335
A security vulnerability has been uncovered and resolved in RichFaces 4. Details of the vulnerability can be found in this Red Hat Errata document released for our WFK product. We have released a community micro release addressing this vulnerability, so please update your applications ASAP. Read below for a summary of the problem and some additional minor fixes included in this release.
The vulnerability manifests itself when malformed Atmosphere requests cause RichFaces to leak memory. This memory leak can be exploited via a large number of requests to a push-enabled RichFaces application leading to an out-of-memory error, and a corresponding DDoS on the underlying application server.
This 4.3.6.Final release of RichFaces no longer leaks memory leak when receiving malformed Atmosphere requests. Users are encouraged to update their deployed RichFaces applications, particularly those that are push-enabled.
Note: while we have included the patch in RichFaces 5, we have not shipped an update to the RichFaces 5.0.0.Alpha3 release. The fix will be present in an upcoming 5.0.0.Alpha4 release.
Check out the 4.3.6.Final release notes for a complete list of issues resolved in this release. The issues for the most part are stabilizations to our Photoalbum demo. However some noteworthy issues include:
We are hard at work putting out a RichFaces 4.5 release to address JSF 2.2 compatibility with the RichFaces 4.x branch. This has necessitated we put RichFaces 5 development on hold, but we feel will be worth it to get JSF 2.2 support in a stable release sooner rather than later.