CVE-2017-1000486

What Is PrimeFaces?

PrimeFaces is a popular open-source JSF (JavaServer Faces) component library for Java web applications, widely used in enterprise Java EE and Jakarta EE environments. PrimeFaces provides rich UI components — data grids, file uploaders, calendars, charts — used by applications at banks, government agencies, and large enterprises. JSF applications rely on a ViewState mechanism to preserve UI component state between requests. PrimeFaces encrypts this ViewState to prevent tampering; however, the encryption implementation in vulnerable versions used a hardcoded, publicly known key — creating a trivially exploitable path from ViewState manipulation to server-side code execution.

Overview

CVE-2017-1000486 is a critical remote code execution vulnerability in PrimeFaces (versions 5.x through 6.0 before patch) caused by use of a hardcoded, publicly known Blowfish encryption key ("primefaces") to encrypt the ViewState parameter. An unauthenticated remote attacker who knows this key — which is literally hardcoded in the public source code — can craft a malicious ViewState containing Java Expression Language (EL) expressions; when the server decrypts and processes the ViewState, the EL expressions are evaluated server-side, executing arbitrary Java code. CISA added CVE-2017-1000486 to the KEV catalog in January 2022.

Affected Versions

Technical Details

Root Cause: Hardcoded Encryption Key Enables ViewState EL Injection

CVE-2017-1000486 is an inadequate encryption strength vulnerability (CWE-326) with a practical impact of server-side code injection. The attack chain is:

1. Hardcoded key: PrimeFaces 5.x/6.0 used Blowfish encryption with the hardcoded key "primefaces" to encrypt the JSF ViewState. This key is in the public source code and known to any attacker.

2. ViewState tampering: An attacker crafts a malicious ViewState by encrypting arbitrary content with the known Blowfish key. The malicious ViewState contains Java EL (Expression Language) expressions in the partial response action or component state.

3. Server-side EL evaluation: When the server receives the crafted ViewState, it decrypts it with the same hardcoded key, then evaluates the EL expressions in the server-side JSF processing cycle. EL expressions in JSF have access to the runtime environment and can invoke arbitrary Java methods.

4. Code execution: The EL injection can invoke Runtime.exec() or other Java runtime methods to execute arbitrary OS commands on the server, achieving full RCE as the application server user.

Why this is CVSS 9.8 (Critical):

• PR:N, UI:N — any unauthenticated HTTP client can trigger the exploit
• No special knowledge required beyond the publicly known key
• Works against any PrimeFaces application using the default configuration

Attack Characteristics

Discovery

The hardcoded key was identified through code review of the PrimeFaces open-source repository. The fix requires application administrators to configure a custom encryption key in web.xml — the framework itself cannot auto-generate a unique key per installation.

Exploitation Context

• Enterprise Java attack surface: PrimeFaces is deployed in enterprise financial, healthcare, and government applications — environments with high-value data; a CRITICAL unauthenticated RCE in a widely-used Java UI library attracts significant attacker attention
• Zero-configuration exploitability: Because the key is hardcoded in public source code, exploiting CVE-2017-1000486 requires no reconnaissance — an attacker can identify the framework (via HTTP response headers or error pages) and immediately send the crafted ViewState
• Persistence after "fix": The patch requires administrators to explicitly set a strong key in web.xml; applications that were upgraded without reading the security advisory continued using the default key, leaving many deployments vulnerable long after the fix was available
• CISA KEV (2022): Added January 2022 confirming active exploitation of unpatched PrimeFaces applications

Remediation

1. Upgrade PrimeFaces — update to PrimeFaces 5.2.21, 5.3.8, or 6.0.1+ immediately.

2. Configure a strong encryption key — after upgrading, add a custom encryption key in web.xml. The fix alone is not sufficient without configuring the key:

   <context-param>
     <param-name>primefaces.SECRET</param-name>
     <param-value>[your-random-strong-key]</param-value>
   </context-param>
   

3. Inventory PrimeFaces deployments — scan your Java application portfolio for PrimeFaces usage; the library is often included as a dependency by third-party applications and may not be immediately visible.

4. Apply WAF rules — web application firewall rules can detect malformed or unusually large ViewState parameters that may indicate exploitation attempts.

5. Run application servers as least-privilege accounts — if exploitation occurs, limiting the application server's OS permissions reduces the blast radius of arbitrary code execution.