Bug 969924 (CVE-2013-2133)
| Summary: | CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws handlers | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Arun Babu Neelicattu <aneelica> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | asoldano, cdewolf, chazlett, fnasser, grocha, huwang, jcacek, lgao, mjc, pavelp, pcheung, rdickens, security-response-team, smumford, theute, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-12-14 19:24:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 969978, 985798, 985799, 985801, 985802, 985803, 988615, 1048077, 1050458, 1050459, 1050460, 1050461, 1050462, 1050463, 1050464 | ||
| Bug Blocks: | 1012704, 1012753, 1082938, 1210482 | ||
|
Description
Arun Babu Neelicattu
2013-06-03 04:28:35 UTC
Acknowledgements: This issue was discovered by Richard Opalka and Arun Neelicattu of Red Hat. This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.0 Via RHSA-2013:1784 https://rhn.redhat.com/errata/RHSA-2013-1784.html This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2013:1786 https://rhn.redhat.com/errata/RHSA-2013-1786.html This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2013:1785 https://rhn.redhat.com/errata/RHSA-2013-1785.html Statement: Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ Upstream Issue: https://issues.jboss.org/browse/WFLY-308 Upstream Fix: https://github.com/wildfly/wildfly/pull/5234 This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html |