Bug 802622 (CVE-2012-1167)

Summary: CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brms-jira, djorm, dpalmer, grocha, jcoleman, mjc, ncross, nwallace, rzhang, security-response-team, tkirby, zzoubkov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20120612,reported=20120313,source=customer,cvss2=4.6/AV:N/AC:H/Au:S/C:P/I:P/A:P,brms-5/Security=affected,soap-5/Security=affected,epp-5/Requirements=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-05 19:42:54 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 804894, 804895, 804897    
Bug Blocks: 802628    

Description Arun Babu Neelicattu 2012-03-13 01:41:02 EDT
When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml <security-constraint> tag.
Comment 6 David Jorm 2012-06-12 19:13:28 EDT
This flaw is resolved in EAP 6.0.0 GA.
Comment 7 errata-xmlrpc 2012-06-19 15:24:20 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:1013 https://rhn.redhat.com/errata/RHSA-2012-1013.html
Comment 8 errata-xmlrpc 2012-06-19 15:34:34 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:1014 https://rhn.redhat.com/errata/RHSA-2012-1014.html
Comment 9 errata-xmlrpc 2012-06-20 12:05:47 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:1027 https://rhn.redhat.com/errata/RHSA-2012-1027.html
Comment 10 errata-xmlrpc 2012-06-20 12:05:54 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:1026 https://rhn.redhat.com/errata/RHSA-2012-1026.html
Comment 11 David Jorm 2012-08-10 00:00:50 EDT
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.0

Via RHSA-2012:1028 https://rhn.redhat.com/errata/RHSA-2012-1028.html
Comment 12 David Jorm 2012-08-10 00:03:26 EDT
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2012:1125 https://rhn.redhat.com/errata/RHSA-2012-1125.html
Comment 14 errata-xmlrpc 2012-09-05 12:27:17 EDT
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html