Bug 1388240 (CVE-2016-8627)

Summary: CVE-2016-8627 admin-cli: Potential EAP resource starvation DOS attack via GET requests for server log files
Product: [Other] Security Response Reporter: Bharti Kundal <bkundal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dosoudil, fnasser, jason.greene, jawilson, jshepherd, krathod, lgao, myarboro, pslavice, rnetuka, rsvoboda, security-response-team, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: admin-cli 3.0.0.Alpha25, admin-cli 2.2.1.CR2 Doc Type: If docs needed, set a value
Doc Text:
An EAP feature to download server log files allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough resources that normal server functioning could be impaired.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:47:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1388986, 1388987    
Bug Blocks: 1381143, 1413131, 1520314    

Description Bharti Kundal 2016-10-24 19:50:33 UTC 
Potential EAP resource starvation DOS attack via GET requests for server log files
Comment 3 Bharti Kundal 2017-01-16 19:57:21 UTC 
Acknowledgments:

Name: Darran Lofthouse (Red Hat), Brian Stansberry (Red Hat)
Comment 4 errata-xmlrpc 2017-01-18 20:40:51 UTC 
This issue has been addressed in the following products:

   Red Hat JBoss Enterprise Application Platform 7.0

Via RHSA-2017:0172 https://rhn.redhat.com/errata/RHSA-2017-0172.html
Comment 5 errata-xmlrpc 2017-01-18 21:54:26 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:0171 https://rhn.redhat.com/errata/RHSA-2017-0171.html
Comment 6 errata-xmlrpc 2017-01-18 21:54:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:0170 https://rhn.redhat.com/errata/RHSA-2017-0170.html
Comment 7 errata-xmlrpc 2017-01-18 22:12:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:0173 https://rhn.redhat.com/errata/RHSA-2017-0173.html
Comment 16 errata-xmlrpc 2017-02-02 20:23:54 UTC 
This issue has been addressed in the following products:



Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html
Comment 17 errata-xmlrpc 2017-02-02 20:44:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html
Comment 18 errata-xmlrpc 2017-02-02 20:45:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html
Comment 19 errata-xmlrpc 2017-02-02 20:46:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0244 https://rhn.redhat.com/errata/RHSA-2017-0244.html
Comment 20 errata-xmlrpc 2017-02-02 21:04:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0250 https://rhn.redhat.com/errata/RHSA-2017-0250.html
Comment 21 errata-xmlrpc 2017-12-13 17:34:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456
Comment 22 errata-xmlrpc 2017-12-13 18:20:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454
Comment 23 errata-xmlrpc 2017-12-13 18:41:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455
Comment 24 errata-xmlrpc 2017-12-13 18:48:21 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458