Bug 1273046 (CVE-2015-5304)

Summary: CVE-2015-5304 JBoss EAP: missing authorization check for Monitor/Deployer/Auditor role when shutting down server
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbaranow, bmaxwell, brian.stansberry, cdewolf, csutherl, dandread, darran.lofthouse, fnasser, jason.greene, jawilson, lgao, lthon, myarboro, pslavice, rsvoboda, security-response-team, slong, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:48:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1274140, 1274141    
Bug Blocks: 1273047, 1286524    

Description Martin Prpič 2015-10-19 12:55:15 UTC 
It was found that JBoss EAP did not properly authorize a user performing a shut down. An user with the role Monitor, Deployer, or Auditor could use this flaw to shut down the EAP server, which is an action restricted to admin users.

The following commits introduced this issue:

https://github.com/wildfly/wildfly-core/commit/6e5611b4c6
https://github.com/jbossas/jboss-eap/commit/a905e9a041

The context.getServiceRegistry call, which throws an exception when authorization fails, was replaced with a call to context.authorize, which only returns an authorization result.
Comment 2 Martin Prpič 2015-10-19 13:19:45 UTC 
Acknowledgements:

This issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering.
Comment 11 errata-xmlrpc 2015-12-02 16:59:12 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform

Via RHSA-2015:2541 https://rhn.redhat.com/errata/RHSA-2015-2541.html
Comment 12 errata-xmlrpc 2015-12-02 17:19:58 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2539 https://rhn.redhat.com/errata/RHSA-2015-2539.html
Comment 13 errata-xmlrpc 2015-12-02 17:20:11 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:2538 https://rhn.redhat.com/errata/RHSA-2015-2538.html
Comment 14 errata-xmlrpc 2015-12-02 17:35:28 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:2540 https://rhn.redhat.com/errata/RHSA-2015-2540.html
Comment 15 errata-xmlrpc 2015-12-02 17:48:38 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2542 https://rhn.redhat.com/errata/RHSA-2015-2542.html