Bug 1660263 (CVE-2019-3805)

Summary: CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anstephe, avibelli, bgeorges, bmaxwell, bmcclain, brian.stansberry, cdewolf, chaowan, chazlett, csutherl, darran.lofthouse, dblechte, dfediuck, dimitris, dingyichen, dosoudil, drieden, eedri, etirelli, fgavrilo, fnasser, gvarsami, ibek, janstey, jason.greene, jawilson, jbalunas, jboss-set, jcoleman, jkurik, jochrist, jolee, jondruse, jpallich, jschatte, jshepherd, jstastny, kconner, krathod, kverlaen, ldimaggi, lef, lgao, loleary, lpetrovi, lthon, mgoldboi, michal.skrivanek, mszynkie, myarboro, nwallace, paradhya, pdrozd, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sbonazzo, sdaley, security-response-team, sherold, spinder, sthorger, tcunning, theute, tkirby, tom.jenkinson, trogers, twalsh, vhalbert, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in wildfly that would allow local users, who are able to execute init.d script, to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:44:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1645008    

Description Sam Fowler 2018-12-18 01:01:07 UTC
JBoss EAP has a vulnerability that allows local users who are able to execute init.d script to terminate arbitrary process on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.

Comment 5 Chess Hazlett 2019-04-30 17:35:00 UTC
Acknowledgments:

Name: Daniel Le Gall (SCRT Information Security)

Comment 6 errata-xmlrpc 2019-05-08 12:04:12 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1106

Comment 7 errata-xmlrpc 2019-05-08 12:09:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1107

Comment 8 errata-xmlrpc 2019-05-08 12:11:37 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1108

Comment 9 errata-xmlrpc 2019-05-09 18:14:54 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.1 zip

Via RHSA-2019:1140 https://access.redhat.com/errata/RHSA-2019:1140

Comment 10 Joshua Padman 2019-05-15 22:53:18 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 12 Paramvir jindal 2019-07-19 05:22:28 UTC
JDG 7.3.2 (latest version as of today) is affected. Creating Tracker.

Comment 15 errata-xmlrpc 2019-08-08 10:08:42 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.4.0

Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413