Platform
java
Component
identityiq
Fixed in
8.1p7
8.2p7
8.3p4
8.4p1
CVE-2024-2227 is a critical Path Traversal vulnerability affecting JavaServer Faces (JSF) versions 8.1 through 2.2.20. This flaw allows attackers to potentially access arbitrary files within the application server's file system, leading to sensitive data exposure or system compromise. The vulnerability builds upon previous fixes related to CVE-2020-6950 and related advisories. A fix is available in version 8.4p1.
Successful exploitation of CVE-2024-2227 allows an attacker to read any file accessible by the JavaServer Faces process. This includes configuration files, source code, and potentially sensitive data like database credentials or API keys. The impact is particularly severe in IdentityIQ deployments, as attackers could gain access to user data, authentication information, and other critical components. Lateral movement within the network is possible if the attacker can leverage the accessed files to identify and exploit other vulnerabilities. The blast radius extends to any system accessible by the compromised JavaServer Faces instance.
CVE-2024-2227 was publicly disclosed on March 22, 2024. It leverages a previously identified vulnerability (CVE-2020-6950) and subsequent remediation efforts. The EPSS score is likely to be medium to high, given the critical CVSS score and the potential for widespread exploitation. Public proof-of-concept exploits are likely to emerge, increasing the risk of active exploitation. Refer to the NVD and CISA advisories for updates.
Exploit Status
EPSS
0.61% (70% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-2227 is to upgrade to JavaServer Faces version 8.4p1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting file access permissions within the application server and implementing strict input validation to prevent path traversal attempts. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious path traversal patterns. Monitor JavaServer Faces logs for unusual file access attempts. After upgrading, verify the fix by attempting to access a restricted file via a crafted URL; access should be denied.
Update JavaServer Faces to a version later than 2.2.20 that contains the fix for CVE-2020-6950. Refer to the SailPoint advisory for specific information on updating IdentityIQ and apply the additional mitigations mentioned in ETN IIQSAW-3585 and IIQFW-336.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-2227 is a critical vulnerability in JavaServer Faces (JSF) allowing attackers to access arbitrary files on the server. It builds upon previous vulnerabilities and impacts IdentityIQ deployments.
You are affected if you are using JavaServer Faces versions 8.1 through 2.2.20. Check your version and upgrade immediately.
Upgrade to JavaServer Faces version 8.4p1 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting file access and input validation.
While active exploitation is not yet confirmed, the critical CVSS score and the availability of previous exploits suggest a high probability of exploitation.
Refer to the Oracle Java SE Security Bulletin for details: [https://www.oracle.com/security-alerts/cpuapr2024.html](https://www.oracle.com/security-alerts/cpuapr2024.html)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.