Red Hat JBoss EAP RichFaces Remote Code Execution (CVE-2018-14667)

**Summary** An update is now available for Red Hat JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. **Relevant releases/architectures** Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server - noarch Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server - noarch **Description** Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This asynchronous patch is a security update for the RichFaces package in Red Hat JBoss Enterprise Application Platform 5.2. Security Fix(es): \* RichFaces: Expression Language injection via UserResource allows for unauthenticated remote code execution (CVE-2018-14667) See https://access.redhat.com/solutions/3660371 for specific information regarding this flaw. For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Joao Filho Matos Figueiredo for reporting this issue. **Solution** Before applying this update, back up your existing JBoss Enterprise Application Platform installation (including all applications and configuration files) and make sure all previously-released errata relevant to your system have been applied.