RichFaces Security Advisory CVE-2014-0335

Brian Leathem

2 minute read

RichFaces

A security vulnerability has been uncovered and resolved in RichFaces 4. Details of the vulnerability can be found in this Red Hat Errata document released for our WFK product. We have released a community micro release addressing this vulnerability, so please update your applications ASAP. Read below for a summary of the problem and some additional minor fixes included in this release.

To update to this release: You can download the distribution directly, or for maven users, increment the RichFaces version in your pom.xml to 4.3.6.Final. For more information on setting up a RichFaces 4 application, refer to our getting started guide.

The issue

The issue was reported and resolved through community efforts in RF-13250. Much thanks to Marcel Ĺ ebek for both investigating and patching this issue!

The vulnerability

The vulnerability manifests itself when malformed Atmosphere requests cause RichFaces to leak memory. This memory leak can be exploited via a large number of requests to a push-enabled RichFaces application leading to an out-of-memory error, and a corresponding DDoS on the underlying application server.

This 4.3.6.Final release of RichFaces no longer leaks memory leak when receiving malformed Atmosphere requests. Users are encouraged to update their deployed RichFaces applications, particularly those that are push-enabled.

Note: while we have included the patch in RichFaces 5, we have not shipped an update to the RichFaces 5.0.0.Alpha3 release. The fix will be present in an upcoming 5.0.0.Alpha4 release.

Other fixes

Check out the 4.3.6.Final release notes for a complete list of issues resolved in this release. The issues for the most part are stabilizations to our Photoalbum demo. However some noteworthy issues include:

  • RF-13531: selects: cannot select option on IE11

  • RF-13559: a4j:commandButton wrong actions performed

  • RF-13540: Websphere incarnation of MyFaces renders optimized resources multiple times

Next Steps

We are hard at work putting out a RichFaces 4.5 release to address JSF 2.2 compatibility with the RichFaces 4.x branch. This has necessitated we put RichFaces 5 development on hold, but we feel will be worth it to get JSF 2.2 support in a stable release sooner rather than later.