PrimeFaces and EL Injection Update

PrimeFaces and EL Injection Update

PrimeFaces EL Injection – Issue 1152 / CVE-2017-1000486 / Cryptojacking Malware Injection

PrimeFaces had an EL Injection Vulnerability in older versions till 5.2.21 / 5.3.8 / 6.0 – which was already fixed 2 years ago (02-2016).

End of last year (12-2017), someone requested a CVE for that problem ( and shorty after cryptojacking malware spotted on some PrimeFaces applications (

How does the injection work?
In PrimeFaces 5.2, the ValueExpression which targets the StreamedContent, was encrypted to the resource URL.  This dynamic streaming mechanism is mainly used for the dynamic p:graphicImage. If the browser calls the resource URL, the ValueExpression was decrypted, executed and the result was streamed back in the HTTP response.

As the encryption is „quite“ simple, it’s possible to manipulate the ValueExpresion and therefore execute almost any Java-Code. It’s described very detailed here:

Cryptojacking Malware Injection Example:

The ValueExpression results in the following statements:

Which means that the every code requested by the „cmd“ request parameter will be executed via the ProcessBuilder.

The Cryptojacking CMD in this case to do a request for “” is;


  1. The easiest solution is to upgrade PrimeFaces, the bugfix is available since 5.2.21 and 5.3.8. For community users, we suggest updating to 6.2 as it is the most secure PrimeFaces and also includes various other patches.
  2. If you don’t use the StreamedContent mechanism in your application, a solution might be to block all requests to in your web server like following;

Overall, we suggest always keeping your software stack up-to-date to avoid security bugs and be compatible with newer browser versions! PrimeFaces is constantly updated to include security patches.

Thomas Andraschko – PrimeFaces

1 Comment
  • Ralf
    26 January 2018 at 14:06


    when will Version 6.2 be available?


Post a Comment