Bug 1102317 (CVE-2014-3464) - CVE-2014-3464 JBoss WS: Incomplete fix for CVE-2013-2133
Summary: CVE-2014-3464 JBoss WS: Incomplete fix for CVE-2013-2133
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3464
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Alessio Soldano
QA Contact: Tomas Kyjovsky
URL:
Whiteboard: impact=low,public=20140806,reported=2...
Depends On: 1102319 1102320 1102321
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-28 18:24 UTC by Arun Babu Neelicattu
Modified: 2019-06-08 20:03 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the fix for CVE-2013-2133 was incomplete: the JAX-WS handlers were being executed for outbound messages even when authorization had failed. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke.
Clone Of:
Environment:
Last Closed: 2014-08-11 15:42:14 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 969924 None None None Never
Red Hat Bugzilla 985799 None None None Never

Internal Links: 969924 985799

Description Arun Babu Neelicattu 2014-05-28 18:24:00 UTC 
IssueDescription:

It was found that the fix for CVE-2013-2133 was incomplete: the JAX-WS handlers were being executed for outbound messages even when authorization had failed. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke.
Comment 2 Arun Babu Neelicattu 2014-05-28 18:31:20 UTC 
Acknowledgement:

This issue was discovered by Tomas Kyjovsky of the Red Hat Quality Engineering Team.
Comment 12 Arun Babu Neelicattu 2014-08-11 15:34:39 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.3.0

Via RHSA-2014:1021 https://rhn.redhat.com/errata/RHSA-2014-1021.html
Comment 13 Arun Babu Neelicattu 2014-08-11 15:34:50 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2014:1020 https://rhn.redhat.com/errata/RHSA-2014-1020.html
Comment 14 Arun Babu Neelicattu 2014-08-11 15:35:04 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2014:1019 https://rhn.redhat.com/errata/RHSA-2014-1019.html
Note You need to log in before you can comment on or make changes to this bug.