The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an old vulnerability affecting JBoss RichFaces that has been exploited in attacks. The vulnerability, tracked as CVE-2018-14667, was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, and federal agencies have been instructed to apply mitigations or discontinue the use of the product by October 19. While proof-of-concept (PoC) exploits and tools designed to exploit the flaw have been available for years, there have been no public reports describing actual exploitation in the wild. However, CISA only adds vulnerabilities to its KEV catalog if it has reliable evidence of exploitation.

Read more: https://www.securityweek.com/cisa-warns-of-old-jboss-richfaces-vulnerability-being-exploited-in-attacks/