It was discovered that under specific conditions the conversation state information stored in a thread local variable was not cleaned correctly when the conversation ends. This could lead to a race condition which when met could potentially expose sensitive information that was visible to the previous conversation to the current one.
Upstream Issue: https://issues.jboss.org/browse/WELD-1802
Acknowledgements: Red Hat would like to thank Rune Steinseth of JProfessionals for reporting this issue.
Upstream Commits: https://github.com/weld/core/commit/8e413202fa1af08c09c580f444e4fd16874f9c65 https://github.com/weld/core/commit/6808b11cd6d97c71a2eed754ed4f955acd789086 https://github.com/weld/core/commit/29fd1107fd30579ad9bb23fae4dc3ba464205745
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/8122.yaml
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.3 Via RHSA-2015:0215 https://rhn.redhat.com/errata/RHSA-2015-0215.html
This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 Via RHSA-2015:0217 https://rhn.redhat.com/errata/RHSA-2015-0217.html
This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 5 Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-0216.html
This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 7 Via RHSA-2015:0218 https://rhn.redhat.com/errata/RHSA-2015-0218.html
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: Red Hat JBoss Data Grid 6.4 Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html
This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
This issue has been addressed in the following products: JBoss Operations Network 3.3.2 Via RHSA-2015:0920 https://rhn.redhat.com/errata/RHSA-2015-0920.html