CVE-2014-0086 — JBoss RichFaces Improper Input Validation vulnerability

Description

The doFilter function in webapp/PushHandlerFilter.java in JBoss RichFaces 4.3.4, 4.3.5, and 5.x allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a large number of malformed atmosphere push requests.

How to fix CVE-2014-0086

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Maven/org.richfaces:richfaces—no fix listed

Is CVE-2014-0086 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.3.4, <= 4.3.5

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-0086
PATCHgithub.com/richfaces/richfaces
WEBrhn.redhat.com/errata/RHSA-2014-0335.html
WEBbugzilla.redhat.com/show_bug.cgi?id=1067268
WEB