Bug 1250552 (CVE-2015-5178)

Summary: CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbaranow, bilge, cdewolf, dandread, darran.lofthouse, jason.greene, jawilson, jpallich, lgao, mprpic, myarboro, pslavice, rsvoboda, security-response-team, slong, tkirby, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:47:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1249105    
Bug Blocks: 1250555, 1271191    

Description Martin Prpič 2015-08-05 12:49:03 UTC 
It was reported that the EAP console is vulnerable to clickjacking attacks because it does not set the X-Frame-Options HTTP header. An attacker could use this flaw to embedded the EAP console in a web page using a frame or iframe, and then trick a user into performing arbitrary actions in the console.
Comment 6 errata-xmlrpc 2015-10-15 15:28:57 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1907 https://rhn.redhat.com/errata/RHSA-2015-1907.html
Comment 7 errata-xmlrpc 2015-10-15 15:42:41 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1905 https://rhn.redhat.com/errata/RHSA-2015-1905.html
Comment 8 errata-xmlrpc 2015-10-15 15:43:47 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1904 https://rhn.redhat.com/errata/RHSA-2015-1904.html
Comment 9 errata-xmlrpc 2015-10-15 16:00:03 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1906 https://rhn.redhat.com/errata/RHSA-2015-1906.html