1205112 – (CVE-2014-8175) CVE-2014-8175 JBoss Fuse: insufficient access permissions checks when accessing Hawtio console

Bug 1205112 (CVE-2014-8175) - CVE-2014-8175 JBoss Fuse: insufficient access permissions checks when accessing Hawtio console

Summary: CVE-2014-8175 JBoss Fuse: insufficient access permissions checks when accessi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-8175
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1205115 1232965
TreeView+	depends on / blocked

Reported:	2015-03-24 09:18 UTC by Martin Prpič
Modified:	2023-05-12 16:30 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	It was found that JBoss Fuse would allow any user defined in the users.properties file to access the HawtIO console without having a valid admin role. This could allow a remote attacker to bypass intended authentication HawtIO console access restrictions.
Clone Of:
Environment:
Last Closed:	2015-11-02 02:00:03 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1176	0	normal	SHIPPED_LIVE	Important: Red Hat JBoss Fuse 6.2.0 update	2015-06-23 20:52:52 UTC
Red Hat Product Errata	RHSA-2015:1177	0	normal	SHIPPED_LIVE	Important: Red Hat JBoss A-MQ 6.2.0 update	2015-06-23 20:52:10 UTC

Description Martin Prpič 2015-03-24 09:18:21 UTC

It was found that JBoss Fuse would allow any user defined in the users.properties file to access the HawtIO console without having a valid admin role. This could allow a remote attacker to bypass intended authentication HawtIO console access restrictions.

Comment 2 Chess Hazlett 2015-06-18 19:28:04 UTC

Acknowledgements:

This issue was reported by Jay Kumar SenSharma of Red Hat.

Comment 3 errata-xmlrpc 2015-06-23 16:52:49 UTC

This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.2.0

Via RHSA-2015:1177 https://rhn.redhat.com/errata/RHSA-2015-1177.html

Comment 4 errata-xmlrpc 2015-06-23 16:53:48 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.2.0

Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html

Note You need to log in before you can comment on or make changes to this bug.