Bug 1250552 - (CVE-2015-5178) CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to clickjacking
CVE-2015-5178 JBoss AS/WildFly: missing X-Frame-Options header leading to cli...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151015,repor...
: Security
Depends On: 1249105
Blocks: 1250555 1271191
  Show dependency treegraph
 
Reported: 2015-08-05 08:49 EDT by Martin Prpič
Modified: 2015-10-15 12:00 EDT (History)
22 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the EAP Management Console could be opened in an IFRAME, which made it possible to intercept and manipulate requests. An attacker could use this flaw to trick a user into performing arbitrary actions in the Console (clickjacking).
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-08-05 08:49:03 EDT
It was reported that the EAP console is vulnerable to clickjacking attacks because it does not set the X-Frame-Options HTTP header. An attacker could use this flaw to embedded the EAP console in a web page using a frame or iframe, and then trick a user into performing arbitrary actions in the console.
Comment 6 errata-xmlrpc 2015-10-15 11:28:57 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1907 https://rhn.redhat.com/errata/RHSA-2015-1907.html
Comment 7 errata-xmlrpc 2015-10-15 11:42:41 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1905 https://rhn.redhat.com/errata/RHSA-2015-1905.html
Comment 8 errata-xmlrpc 2015-10-15 11:43:47 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1904 https://rhn.redhat.com/errata/RHSA-2015-1904.html
Comment 9 errata-xmlrpc 2015-10-15 12:00:03 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1906 https://rhn.redhat.com/errata/RHSA-2015-1906.html

Note You need to log in before you can comment on or make changes to this bug.