Bug 843358 (CVE-2012-3428)

Summary: CVE-2012-3428 JBoss: Datasource connection manager returns valid connection for wrong credentials when using security-domains
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: djorm, dmace, grocha, rmillner, security-response-team, tkramer
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-02 03:46:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 843362, 888625    
Bug Blocks: 843361, 881519    

Description Arun Babu Neelicattu 2012-07-26 06:37:26 UTC 
When using multi-user authentication provided by the "allow-multiple-users" option for the datasource's connection pool together with a security domain, the credentials provided as arguments to the getConnection(uid,pwd) function are ignored. This means that a valid connection will be returned for an invalid credential. 

This could also mean that, provided the correct subject, a datasource connection can be obtained that which might belong to a privileged user.

A fix for this issue is already available up-stream. The up-stream fix is located at [jira JBJCA-864].
Comment 9 Murray McAllister 2012-10-10 06:06:47 UTC 
Acknowledgements:

This issue was discovered by Arun Neelicattu of the Red Hat Security Response Team.
Comment 10 errata-xmlrpc 2012-12-18 22:21:38 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html
Comment 11 errata-xmlrpc 2012-12-18 22:33:31 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html
Comment 12 errata-xmlrpc 2012-12-18 22:53:26 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html