1102317 – (CVE-2014-3464) CVE-2014-3464 JBoss WS: Incomplete fix for CVE-2013-2133

Bug 1102317 (CVE-2014-3464) - CVE-2014-3464 JBoss WS: Incomplete fix for CVE-2013-2133

Summary: CVE-2014-3464 JBoss WS: Incomplete fix for CVE-2013-2133

Status:	CLOSED ERRATA
Alias:	CVE-2014-3464
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Alessio Soldano
QA Contact:	Tomas Kyjovsky
Docs Contact:
URL:
Whiteboard:	impact=low,public=20140806,reported=2...
Keywords:	Security
Depends On:	1102319 1102320 1102321
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-28 18:24 UTC by Arun Babu Neelicattu
Modified:	2019-06-08 20:03 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:
Doc Text:	(edit) It was found that the fix for CVE-2013-2133 was incomplete: the JAX-WS handlers were being executed for outbound messages even when authorization had failed. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke. It was found that the fix for CVE-2013-2133 was incomplete: the JAX-WS handlers were being executed for outbound messages even when authorization had failed. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke.
Clone Of:
Environment:	(edit)
Last Closed:	2014-08-11 15:42:14 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	969924	None	None	None	Never
Red Hat Bugzilla	985799	None	None	None	Never

Internal Trackers: 969924 985799

Description Arun Babu Neelicattu 2014-05-28 18:24:00 UTC

IssueDescription:

It was found that the fix for CVE-2013-2133 was incomplete: the JAX-WS handlers were being executed for outbound messages even when authorization had failed. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke.

Comment 2 Arun Babu Neelicattu 2014-05-28 18:31:20 UTC

Acknowledgement:

This issue was discovered by Tomas Kyjovsky of the Red Hat Quality Engineering Team.

Comment 12 Arun Babu Neelicattu 2014-08-11 15:34:39 UTC

This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.3.0

Via RHSA-2014:1021 https://rhn.redhat.com/errata/RHSA-2014-1021.html

Comment 13 Arun Babu Neelicattu 2014-08-11 15:34:50 UTC

This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2014:1020 https://rhn.redhat.com/errata/RHSA-2014-1020.html

Comment 14 Arun Babu Neelicattu 2014-08-11 15:35:04 UTC

This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2014:1019 https://rhn.redhat.com/errata/RHSA-2014-1019.html

Note You need to log in before you can comment on or make changes to this bug.