Bug 1070046 (CVE-2014-0093)

Summary: CVE-2014-0093 JBoss EAP 6: JSM policy not respected by deployed applications
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anil.saldhana, arubin, bdawidow, cdewolf, chazlett, epp-bugs, fnasser, grocha, huwang, jawilson, jcoleman, jdg-bugs, jkudrnac, jpallich, kconner, kejohnso, lgao, mjc, myarboro, pcheung, pgier, pslavice, rhq-maint, rsvoboda, soa-p-jira, spinder, theute, ttarrant, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that Java Security Manager permissions configured via a policy file were not properly applied, causing all deployed applications to be granted the java.security.AllPermission permission. In certain cases, an attacker could use this flaw to circumvent expected security measures to perform actions which would otherwise be restricted.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:31:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1070048, 1070049, 1070050, 1071100, 1071101, 1071102, 1071103, 1115372    
Bug Blocks: 1070108, 1070622, 1082938, 1141957, 1145284, 1159080    

Description Arun Babu Neelicattu 2014-02-26 07:02:20 UTC 
IssueDescription:

It was found that Java Security Manager permissions configured via a policy file were not properly applied, causing all deployed applications to be granted the java.security.AllPermission permission. In certain cases, an attacker could use this flaw to circumvent expected security measures to perform actions which would otherwise be restricted.
Comment 4 Martin Prpič 2014-03-31 07:53:13 UTC 
Acknowledgements:

This issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team.
Comment 5 errata-xmlrpc 2014-03-31 16:48:36 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.2

Via RHSA-2014:0345 https://rhn.redhat.com/errata/RHSA-2014-0345.html
Comment 6 errata-xmlrpc 2014-03-31 16:50:00 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6 for RHEL 5

Via RHSA-2014:0343 https://rhn.redhat.com/errata/RHSA-2014-0343.html
Comment 7 errata-xmlrpc 2014-03-31 17:00:46 UTC 
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6
  JBEAP 6 for RHEL 6

Via RHSA-2014:0344 https://rhn.redhat.com/errata/RHSA-2014-0344.html
Comment 8 errata-xmlrpc 2014-09-23 20:20:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html
Comment 9 errata-xmlrpc 2014-09-23 20:21:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html
Comment 10 errata-xmlrpc 2014-12-15 20:36:21 UTC 
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.0.0

Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html
Comment 12 errata-xmlrpc 2015-05-14 15:16:30 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html