Bug 1213007 (CVE-2015-1926)

Summary: CVE-2015-1926 Portlet spec: Information disclosure via missing access restriction in resource dispatching
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdawidow, chazlett, hfnukal, janstey, jcosta, jpallich, mweiler, ppalaga, security-response-team, theute, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The Java Portlet Specification JSR286 API jar file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-30 19:10:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1241204, 1241205, 1241206    
Bug Blocks: 1213008    

Description Chess Hazlett 2015-04-17 22:20:14 UTC 
The Java Portlet Specification JSR286 API jar file code could
allow a remote attacker to obtain sensitive information, caused by the
failure to restrict access to resources located within the web application.
An attacker could exploit this vulnerability to obtain configuration data
and other sensitive information.


Problem summary:
A resource ID string can be set on a resource URL. If a resource ID is
present, the default behavior of the GenericPortlet#serveResource method is
to dispatch to the resource identified by the resource ID through a request
dispatcher. The vulnerability can occur if an attacker manipulates the
resource ID field on a resource URL to point to a resource such as a JSP or
servlet that the user would not normally be able to access. Security
constraints can be bypassed in this manner.

Even portlets that do not use resource serving can be vulnerable if the
GenericPortlet#serveResource method is not overridden, since an attacker
could potentially add a resource ID to a resource URL. The resource ID
would be dispatched through the GenericPortlet#serveResource method.

Portlets that override the GenericPortlet#serveResource method and
either do not call the super.serveResource method or call it only after
verifying the resource ID are not vulnerable.
Comment 4 Chess Hazlett 2015-07-14 17:29:30 UTC 
Statement:

CVE-2015-1926 did not affect JBoss Portal Platform as provided by Red Hat. For further detail, refer to the knowledge base article at https://access.redhat.com/solutions/1488163