Bug 1660263 (CVE-2019-3805)
| Summary: | CVE-2019-3805 wildfly: Race condition on PID file allows for termination of arbitrary processes by local users | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, aileenc, alazarot, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, bmcclain, brian.stansberry, cdewolf, chaowan, chazlett, csutherl, darran.lofthouse, dblechte, dfediuck, dimitris, dingyichen, dkreling, dosoudil, drieden, eedri, etirelli, fgavrilo, fnasser, gvarsami, ibek, iweiss, janstey, jason.greene, jawilson, jbalunas, jboss-set, jcoleman, jkurik, jochrist, jolee, jondruse, jpallich, jperkins, jschatte, jshepherd, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lef, lgao, loleary, lpetrovi, lthon, mgoldboi, michal.skrivanek, msochure, msvehla, mszynkie, myarboro, nwallace, paradhya, pdrozd, pgallagh, pgier, pjindal, pjurak, pmackay, ppalaga, psakar, pslavice, psotirop, puntogil, rguimara, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sbonazzo, sdaley, security-response-team, sherold, smaestri, spinder, sthorger, tcunning, theute, tkirby, tom.jenkinson, trogers, twalsh, vhalbert, vtunka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was discovered in wildfly that would allow local users, who are able to execute init.d script, to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:44:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1645008 | ||
|
Description
Sam Fowler
2018-12-18 01:01:07 UTC
Acknowledgments: Name: Daniel Le Gall (SCRT Information Security) This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1106 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1107 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1108 This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.1 zip Via RHSA-2019:1140 https://access.redhat.com/errata/RHSA-2019:1140 This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. JDG 7.3.2 (latest version as of today) is affected. Creating Tracker. This issue has been addressed in the following products: Red Hat Fuse 7.4.0 Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413 This issue has been addressed in the following products: Red Hat Data Grid 7.3.3 Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565 |