Bug 1084841 (CVE-2014-0169)

Summary: CVE-2014-0169 JBoss EAP: cache is shared between all applications in a security domain
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cdewolf, grocha, jawilson, lcosti, lgao, myarboro, olukas, pcheung, pgier, pslavice, rdickens, rsvoboda, security-response-team, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-10 06:38:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1073892, 1084842, 1084843, 1084854    
Bug Blocks:    

Description Arun Babu Neelicattu 2014-04-07 01:27:49 UTC
When a security domain is configured to use a cache, this cache is shared between all application that are in the security domain. This could allow a user authenticated in one application to access protected resources in another despite not being authorized to do so. This is currently an intended functionality, but it was not clearly documented. Application developers could easily have assumed that a security domain cache is isolated to a single application.

Comment 4 Arun Babu Neelicattu 2014-04-07 07:02:30 UTC
Acknowledgement:

This issue was discovered by Ondrej Lukas of the Red Hat JBoss EAP Quality Engineering team.

Comment 5 Arun Babu Neelicattu 2014-04-08 00:18:18 UTC
Statement:

The fix for this flaw has been determined to be an addition to documentation. An admonition has been added to the relevant documentation that explain security domain usage in Red Hat JBoss Enterprise Application Platform 6. No security advisory will be published for this fix.