Bug 2228608 (CVE-2023-4061)

Summary: CVE-2023-4061 wildfly-core: Management User RBAC permission allows unexpected reading of system-properties to an Unauthorized actor
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, fjuma, ivassile, iweiss, lgao, mosmerov, msochure, mstefank, msvehla, nwallace, pjindal, pmackay, rstancel, security-response-team, smaestri, tom.jenkinson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: wildfly-core 15.0.30.Final Doc Type: ---
Doc Text:
A flaw was found in wildfly-core. A management user could use the resolve-expression in the HAL Interface to read possible sensitive information from the Wildfly system. This issue could allow a malicious user to access the system and obtain possible sensitive information from the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2227345    

Description Patrick Del Bello 2023-08-02 20:26:50 UTC 
A flaw was found in Wildfly-core. A management user of a role could use the resolve-expression in the HAL Interface and hence read a possible sensitive information from Wildfly system. Note this requires a Management from roles "Monitor" and similar users which is expected to be a small set of users and already high level of access. A malicious user could possibly use this accessing the system with this management user and obtain possible sensitive information from the system.
By default, there's no sensitive information. Wildfly administrators are highly recommended to use Vault and especially the current Elytron subsystem to store potential critical information as DNS, IPs and credentials.
Comment 3 errata-xmlrpc 2023-10-05 20:18:36 UTC 
This issue has been addressed in the following products:

  EAP 7.4.13

Via RHSA-2023:5488 https://access.redhat.com/errata/RHSA-2023:5488
Comment 4 errata-xmlrpc 2023-10-05 20:21:53 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:5484 https://access.redhat.com/errata/RHSA-2023:5484
Comment 5 errata-xmlrpc 2023-10-05 20:22:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:5485 https://access.redhat.com/errata/RHSA-2023:5485
Comment 6 errata-xmlrpc 2023-10-05 20:23:36 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:5486 https://access.redhat.com/errata/RHSA-2023:5486
Comment 7 Paramvir jindal 2024-04-03 03:49:53 UTC 
Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version.