Bug 1169237 (CVE-2014-8122)
Summary: | CVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread state | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Arun Babu Neelicattu <aneelica> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bdawidow, cdewolf, chazlett, dandread, darran.lofthouse, dstahl, grocha, hfnukal, jawilson, jcoleman, jharting, jpallich, jrusnack, jshepherd, kconner, kejohnso, lgao, maschmid, mkouba, mweiler, myarboro, pavelp, pgier, pmuir, pslavice, rsvoboda, rzhang, sdouglas, security-response-team, slaskawi, spinder, theute, ttarrant, twalsh, vtunka |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | weld-core 3.0.0.Alpha3, weld-core 2.2.8.Final | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that under specific conditions the conversation state information stored in a thread-local variable in JBoss Weld was not sanitized correctly when the conversation ended. This could lead to a race condition that could potentially expose sensitive information from a previous conversation to the current conversation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-27 22:50:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1169246, 1169247, 1169248, 1169249, 1169250, 1169251, 1169252, 1169253, 1169254, 1169255, 1169256, 1169257, 1169258, 1169259, 1169260 | ||
Bug Blocks: | 1155350, 1168961, 1200191, 1206755, 1210482, 1217043 |
Description
Arun Babu Neelicattu
2014-12-01 06:19:38 UTC
Upstream Issue: https://issues.jboss.org/browse/WELD-1802 Acknowledgements: Red Hat would like to thank Rune Steinseth of JProfessionals for reporting this issue. Upstream Commits: https://github.com/weld/core/commit/8e413202fa1af08c09c580f444e4fd16874f9c65 https://github.com/weld/core/commit/6808b11cd6d97c71a2eed754ed4f955acd789086 https://github.com/weld/core/commit/29fd1107fd30579ad9bb23fae4dc3ba464205745 This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.3 Via RHSA-2015:0215 https://rhn.redhat.com/errata/RHSA-2015-0215.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 Via RHSA-2015:0217 https://rhn.redhat.com/errata/RHSA-2015-0217.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 5 Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-0216.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 7 Via RHSA-2015:0218 https://rhn.redhat.com/errata/RHSA-2015-0218.html This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html This issue has been addressed in the following products: Red Hat JBoss Data Grid 6.4 Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html This issue has been addressed in the following products: JBoss Operations Network 3.3.2 Via RHSA-2015:0920 https://rhn.redhat.com/errata/RHSA-2015-0920.html |