Bug 1380852 (CVE-2016-7061)
Summary: | CVE-2016-7061 EAP: Sensitive data can be exposed at the server level in domain mode | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Bharti Kundal <bkundal> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bbaranow, bmaxwell, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, ehugonne, jason.greene, jawilson, jshepherd, lgao, myarboro, pslavice, rnetuka, rsvoboda, security-response-team, twalsh, vtunka |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | Flags: | bkundal:
needinfo-
|
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | eap 7.0.4 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-21 11:47:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1381324, 1381325 | ||
Bug Blocks: | 1392081, 1413131, 1520314 |
Description
Bharti Kundal
2016-09-30 19:10:50 UTC
When configuring RBAC and marking information as sensitive,the users under Monitor role are able to view it.The following are the details: <security-realms> <security-realm name="ManagementRealm"> <authentication> <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/> </authentication> <authorization map-groups-to-roles="false"> <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/> </authorization> </security-realm> <management> <access-control provider="rbac"> <role-mapping> <role name="SuperUser"> <include> <user name="adminuser"/> </include> </role> <role name="Monitor"> <include> <user name="rbactest"/> </include> </role> </role-mapping> <constraints> <sensitive-classifications> <sensitive-classification type="core" name="socket-config" requires-read="true"/> </sensitive-classifications> </constraints> </access-control> </management> With user rabactest under monitor role ,the socket-bindidng read reseource fails: [bkundal@dhcp193-167 bin]$ ./jboss-cli.sh --connect Authenticating against security realm: ManagementRealm Username: rbactest Password: [domain@localhost:9999 /] cd socket-binding-group=ha-sockets [domain@localhost:9999 socket-binding-group=ha-sockets] /socket-binding-group=ha-sockets/socket-binding=http:read-resource { "outcome" => "failed", "failure-description" => "JBAS013456: Unauthorized to execute operation 'read-resource' for resource '[ (\"socket-binding-group\" => \"ha-sockets\"), (\"socket-binding\" => \"http\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true } [domain@localhost:9999 socket-binding-group=ha-sockets] but this socket-config can be viewed at the server level domain@localhost:9999 socket-binding-group=ha-sockets] cd /host=master/ [domain@localhost:9999 host=master] cd server=server-one [domain@localhost:9999 server=server-one] cd socket-binding-group=full-sockets [domain@localhost:9999 socket-binding-group=full-sockets] cd socket-binding=http [domain@localhost:9999 socket-binding=http] ls -l ATTRIBUTE VALUE TYPE bound true BOOLEAN bound-address 127.0.0.1 STRING bound-port 8080 INT client-mappings undefined LIST fixed-port false BOOLEAN interface undefined STRING multicast-address undefined STRING multicast-port undefined INT name http STRING port 8080 INT [domain@localhost:9999 socket-binding=http] This issue has been addressed in the following products: JBoss Enterprise Application Platform 7.0.4 Via RHSA-2017:0172 https://rhn.redhat.com/errata/RHSA-2017-0172.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:0171 https://rhn.redhat.com/errata/RHSA-2017-0171.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:0170 https://rhn.redhat.com/errata/RHSA-2017-0170.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:0173 https://rhn.redhat.com/errata/RHSA-2017-0173.html This issue has been addressed in the following products: Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0244 https://rhn.redhat.com/errata/RHSA-2017-0244.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0250 https://rhn.redhat.com/errata/RHSA-2017-0250.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458 |