Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1103815 - (CVE-2014-3472) CVE-2014-3472 JBoss AS Security: Invalid EJB caller role check implementation
CVE-2014-3472 JBoss AS Security: Invalid EJB caller role check implementation
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140806,reported=2...
: Security
Depends On: 1116326 1160705 1103816 1103818 1103819 1116324 1116325 1116328 1116329 1116330 1116452 1116453
Blocks: 1082938 1112794 1116304 1116313 1181883 1182419
  Show dependency treegraph
 
Reported: 2014-06-02 11:54 EDT by Arun Babu Neelicattu
Modified: 2015-07-09 22:48 EDT (History)
35 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the isCallerInRole() method of the SimpleSecurityManager did not correctly check caller roles. A remote, authenticated attacker could use this flaw to circumvent the caller check in applications that use black list access control based on caller roles.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-07-09 22:48:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1019 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update 2014-08-06 15:06:42 EDT
Red Hat Product Errata RHSA-2014:1020 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update 2014-08-06 15:03:06 EDT
Red Hat Product Errata RHSA-2014:1021 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.0 update 2014-08-06 14:52:25 EDT
Red Hat Product Errata RHSA-2015:0234 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-17 22:27:47 EST
Red Hat Product Errata RHSA-2015:0235 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-17 22:27:36 EST
Red Hat Product Errata RHSA-2015:0720 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2015-03-24 21:05:53 EDT
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 15:14:47 EDT

  None (edit)
Description Arun Babu Neelicattu 2014-06-02 11:54:44 EDT 
IssueDescription:

It was found that the isCallerInRole() method of the SimpleSecurityManager did not correctly check caller roles. A remote, authenticated attacker could use this flaw to circumvent the caller check in applications that use black list access control based on caller roles.
Comment 3 Arun Babu Neelicattu 2014-06-06 05:11:49 EDT 
Acknowledgements:

Red Hat would like to thank CA Technologies for reporting this issue.
Comment 12 errata-xmlrpc 2014-08-06 10:53:08 EDT 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.3.0

Via RHSA-2014:1021 https://rhn.redhat.com/errata/RHSA-2014-1021.html
Comment 13 errata-xmlrpc 2014-08-06 11:09:16 EDT 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2014:1020 https://rhn.redhat.com/errata/RHSA-2014-1020.html
Comment 14 errata-xmlrpc 2014-08-06 11:11:30 EDT 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2014:1019 https://rhn.redhat.com/errata/RHSA-2014-1019.html
Comment 16 errata-xmlrpc 2015-02-17 17:28:55 EST 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
Comment 17 errata-xmlrpc 2015-02-17 17:33:18 EST 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
Comment 19 errata-xmlrpc 2015-03-24 17:06:50 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
Comment 20 errata-xmlrpc 2015-05-14 11:20:49 EDT 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.