|Summary:||CVE-2014-0169 JBoss EAP: cache is shared between all applications in a security domain|
|Product:||[Other] Security Response||Reporter:||Arun Babu Neelicattu <aneelica>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Version:||unspecified||CC:||cdewolf, grocha, jawilson, lcosti, lgao, myarboro, olukas, pcheung, pgier, pslavice, rdickens, rsvoboda, security-response-team, vtunka|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-04-10 06:38:19 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1073892, 1084842, 1084843, 1084854|
Description Arun Babu Neelicattu 2014-04-07 01:27:49 UTC
When a security domain is configured to use a cache, this cache is shared between all application that are in the security domain. This could allow a user authenticated in one application to access protected resources in another despite not being authorized to do so. This is currently an intended functionality, but it was not clearly documented. Application developers could easily have assumed that a security domain cache is isolated to a single application.
Comment 4 Arun Babu Neelicattu 2014-04-07 07:02:30 UTC
Acknowledgement: This issue was discovered by Ondrej Lukas of the Red Hat JBoss EAP Quality Engineering team.
Comment 5 Arun Babu Neelicattu 2014-04-08 00:18:18 UTC
Statement: The fix for this flaw has been determined to be an addition to documentation. An admonition has been added to the relevant documentation that explain security domain usage in Red Hat JBoss Enterprise Application Platform 6. No security advisory will be published for this fix.