Bug 1049736 (CVE-2014-0005)

Summary: CVE-2014-0005 PicketBox/JBossSX: Unauthorized access to and modification of application server configuration and state by application
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anmiller, bdawidow, cdewolf, chazlett, grocha, istudens, jawilson, jcoleman, jkudrnac, jpallich, lgao, myarboro, pcheung, pskopek, security-response-team, theute
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was identified that PicketBox/JBossSX allowed any deployed application to alter or read the underlying application server configuration and state without any authorization checks. An attacker able to deploy applications could use this flaw to circumvent security constraints applied to other applications deployed on the same system, disclose privileged information, and in certain cases allow arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:31:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1065110, 1049737, 1049738, 1049739, 1049740, 1065111, 1065113, 1160705, 1166955, 1166956, 1166957    
Bug Blocks: 1049742, 1082938, 1181883, 1182419    

Description Arun Babu Neelicattu 2014-01-08 06:12:45 UTC 
IssueDescription:

It was identified that PicketBox/JBossSX allowed any deployed application to alter or read the underlying application server configuration and state without any authorization checks. An attacker able to deploy applications could use this flaw to circumvent security constraints applied to other applications deployed on the same system, disclose privileged information, and in certain cases allow arbitrary code execution.
Comment 3 Martin Prpič 2014-01-08 16:16:11 UTC 
Acknowledgements:

This issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team.
Comment 10 Arun Babu Neelicattu 2014-07-24 08:02:22 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.2

Via RHSA-2014:0345 https://rhn.redhat.com/errata/RHSA-2014-0345.html
Comment 11 Arun Babu Neelicattu 2014-07-24 08:02:34 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6 for RHEL 5

Via RHSA-2014:0343 https://rhn.redhat.com/errata/RHSA-2014-0343.html
Comment 12 Arun Babu Neelicattu 2014-07-24 08:02:46 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6
  JBEAP 6 for RHEL 6

Via RHSA-2014:0344 https://rhn.redhat.com/errata/RHSA-2014-0344.html
Comment 15 errata-xmlrpc 2015-02-17 22:27:53 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
Comment 16 errata-xmlrpc 2015-02-17 22:31:41 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
Comment 18 errata-xmlrpc 2015-03-24 21:06:11 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
Comment 19 errata-xmlrpc 2015-05-14 15:15:05 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html