A problem with PrimeFaces Expression Language (EL) in Tufin SecureChange has been found. CodeWhite points out that in SecureChange an EL Injection is possible, allowing unauthenticated attackers to inject arbitrary EL code to PrimeFaces custom EL Parser.
Tufin has published a Security Advisory regarding this fact on August, 24th.
All TOS versions with SecureChange installed are affected. Not affected are systems if SecureTrack only is installed.
Fixes are available for most supported TOS versions.
TOS R17-2: Fix will be published End of August
TOS R17-1: Fix is included in R17-1HF3 which is available in Tufin Download Center
TOS R16-4: Fix is included in R16-4HF5 which is available in Tufin Download Center
If a fix is needed for TOS R16-3 or TOS R16-2 Tufin asks customers to contact Tufin Support
(support at tufin dot com).
Earlier versions are no more supported, so a fix will not be published. In this case, upgrading to a supported version is strongly recommended.