Bug 1084841 – CVE-2014-0169 JBoss EAP: cache is shared between all applications in a security domain

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1084841 - (CVE-2014-0169) CVE-2014-0169 JBoss EAP: cache is shared between all applications in a security domain

Summary:	CVE-2014-0169 JBoss EAP: cache is shared between all applications in a securi...

Status:	CLOSED CURRENTRELEASE

Aliases:	CVE-2014-0169

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20140408,repor...
Keywords:	Security

Depends On:	1073892 1084842 1084843 1084854
Blocks:
	Show dependency tree / graph

Reported:	2014-04-06 21:27 EDT by Arun Babu Neelicattu
Modified:	2015-02-15 16:53 EST (History)
CC List:	14 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-04-10 02:38:19 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Arun Babu Neelicattu 2014-04-06 21:27:49 EDT

When a security domain is configured to use a cache, this cache is shared between all application that are in the security domain. This could allow a user authenticated in one application to access protected resources in another despite not being authorized to do so. This is currently an intended functionality, but it was not clearly documented. Application developers could easily have assumed that a security domain cache is isolated to a single application.

Comment 4 Arun Babu Neelicattu 2014-04-07 03:02:30 EDT

Acknowledgement:

This issue was discovered by Ondrej Lukas of the Red Hat JBoss EAP Quality Engineering team.

Comment 5 Arun Babu Neelicattu 2014-04-07 20:18:18 EDT

Statement:

The fix for this flaw has been determined to be an addition to documentation. An admonition has been added to the relevant documentation that explain security domain usage in Red Hat JBoss Enterprise Application Platform 6. No security advisory will be published for this fix.

Note You need to log in before you can comment on or make changes to this bug.