Bug 1052783 (CVE-2014-0018)

Summary: CVE-2014-0018 jboss-as-server: Unchecked access to MSC Service Registry under JSM
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anil.saldhana, bdawidow, chazlett, epp-bugs, fnasser, grocha, huwang, jcoleman, jdg-bugs, jpallich, kconner, kejohnso, lgao, mjc, myarboro, pcheung, rhq-maint, soa-p-jira, spinder, theute, ttarrant, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20140111,reported=20140113,source=redhat,cvss2=1.9/AV:L/AC:M/Au:N/C:N/I:P/A:N,eap-6/jboss-as-server=affected,jpp-6/jboss-as-server=affected,jdg-6/jboss-as-server=notaffected,jon-3/jboss-as-server=notaffected,eap-5/jboss-as-server=notaffected,jboss/others=notaffected,fsw-6/jboss-as-server=affected,brms-6/jboss-as-server=affected,bpms-6/jboss-as-server=affected,jdv-6/jboss-as-server=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In Red Hat JBoss Enterprise Application Platform, when running under a security manager, it was possible for deployed code to get access to the Modular Service Container (MSC) service registry without any permission checks. This could allow malicious deployments to modify the internal state of the server in various ways.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:31:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1051751, 1052141, 1052785, 1052790, 1052791, 1052792, 1075479    
Bug Blocks: 1050810, 1082931, 1082938, 1141957, 1145284, 1159080    

Description Arun Babu Neelicattu 2014-01-14 03:55:44 UTC
IssueDescription:

In Red Hat JBoss Enterprise Application Platform, when running under a security manager, it was possible for deployed code to get access to the Modular Service Container (MSC) service registry without any permission checks. This could allow malicious deployments to modify the internal state of the server in various ways.

Comment 2 Arun Babu Neelicattu 2014-01-14 04:17:34 UTC
Acknowledgement:

This issue was discovered by Stuart Douglas of Red Hat.

Comment 5 errata-xmlrpc 2014-02-13 18:39:03 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.1

Via RHSA-2014:0172 https://rhn.redhat.com/errata/RHSA-2014-0172.html

Comment 6 errata-xmlrpc 2014-02-13 18:40:02 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0171 https://rhn.redhat.com/errata/RHSA-2014-0171.html

Comment 7 errata-xmlrpc 2014-02-13 18:41:49 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0170 https://rhn.redhat.com/errata/RHSA-2014-0170.html

Comment 9 errata-xmlrpc 2014-09-23 20:20:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html

Comment 10 errata-xmlrpc 2014-09-23 20:21:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html

Comment 11 errata-xmlrpc 2014-12-15 20:36:07 UTC
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.0.0

Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html

Comment 13 errata-xmlrpc 2015-05-14 15:15:20 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html