Bug 1252885 (CVE-2015-5188, WFLY-2913)

Summary: CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asantos, bilge, cdewolf, chazlett, dandread, darran.lofthouse, dhorton, jason.greene, jawilson, jpallich, lgao, myarboro, pslavice, rmarwaha, rsvoboda, security-response-team, slong, theute, ttarrant, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:47:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1253674    
Bug Blocks: 1252886, 1271191    

Description Vasyl Kaigorodov 2015-08-12 12:45:19 UTC 
Jason Greene from Red Hat reported that a CSRF vulnerability was introduced with this change:

https://github.com/wildfly/wildfly/pull/5904

and backported here:

https://github.com/jbossas/jboss-eap/pull/932

Affected Versions include:
EAP 6.3.x
EAP 6.4.x
WildFly 8.1.0
WildFly 8.2.0
WildFly 9.0.x

Known Affected Browsers:
Internet Explorer (all supported versions)
FireFox (all supported versions)

The change introduces the ability to upload a file as part of executing a management operation. Since the format used is equivalent to a standard multipart/form-data submission, it can therefore be easily forged using an HTML page and a hidden form value, since such pages are not enforced under the same-origin-policy. While the EAP/WildFly versions affected enforce Origin headers, which would mitigate this attack, only WebKit derived browsers (Chrome, Safari, Opera, etc) send them.

The net result is that this vulnerability, when combined with a forgery attack would allow an attacker to make arbitrary changes to the EAP/WildFly instance that the administrator is currently authenticated against, including (but not limited to) altering security policies and network configuration of the instance (assuming that the administrator had such permissions).
Comment 3 JBoss JIRA Server 2015-08-26 19:43:23 UTC 
Harald Pehl <hpehl> updated the status of jira HAL-798 to Resolved
Comment 11 Timothy Walsh 2015-10-14 07:28:59 UTC 
Acknowledgement:

This issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team.
Comment 12 errata-xmlrpc 2015-10-15 15:28:59 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1907 https://rhn.redhat.com/errata/RHSA-2015-1907.html
Comment 13 errata-xmlrpc 2015-10-15 15:42:50 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1905 https://rhn.redhat.com/errata/RHSA-2015-1905.html
Comment 14 errata-xmlrpc 2015-10-15 15:43:53 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1904 https://rhn.redhat.com/errata/RHSA-2015-1904.html
Comment 15 errata-xmlrpc 2015-10-15 16:00:10 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1906 https://rhn.redhat.com/errata/RHSA-2015-1906.html
Comment 16 JBoss JIRA Server 2015-10-27 03:10:47 UTC 
Jason Greene <jason.greene> updated the status of jira WFCORE-594 to Resolved