OmniFaces EL Injection Vulnerability Leading to Remote Code Execution

A server-side expression language (EL) injection vulnerability has been identified in OmniFaces versions prior to 1.14.2, 2.7.32, 3.14.16, 4.7.5, and 5.2.3. This vulnerability allows for remote code execution (RCE) in applications using the CDNResourceHandler with a wildcard CDN mapping. An attacker can craft a resource request URL that includes an EL expression in the resource name, which is then evaluated on the server side. The severity of this vulnerability can vary depending on the EL implementation and the objects available in the EL context, but it can at least lead to information disclosure and denial-of-service.

Impact

Exploitation of this vulnerability allows for server-side EL injection, leading to remote code execution. At a minimum, it could result in information disclosure and denial-of-service.

Remediation

Users can upgrade to OmniFaces versions 5.2.3, 4.7.5, 3.14.16, 2.7.32, or 1.14.2. For applications using the CDNResourceHandler with wildcard mappings, it is recommended to replace these with explicit resource-to-URL mappings.