Bug 1252885 - (CVE-2015-5188, WFLY-2913) CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console
CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151015,repor...
: Security
Depends On: 1253674
Blocks: 1252886 1271191
  Show dependency treegraph
 
Reported: 2015-08-12 08:45 EDT by Vasyl Kaigorodov
Modified: 2015-10-26 23:10 EDT (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker HAL-798 Critical Resolved Update HAL to use XHR for uploads 2017-10-18 00:34 EDT
JBoss Issue Tracker WFCORE-594 Blocker Resolved CSRF vulnerability in the WFLY-2913 solution 2017-10-18 00:34 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-08-12 08:45:19 EDT
Jason Greene from Red Hat reported that a CSRF vulnerability was introduced with this change:

https://github.com/wildfly/wildfly/pull/5904

and backported here:

https://github.com/jbossas/jboss-eap/pull/932

Affected Versions include:
EAP 6.3.x
EAP 6.4.x
WildFly 8.1.0
WildFly 8.2.0
WildFly 9.0.x

Known Affected Browsers:
Internet Explorer (all supported versions)
FireFox (all supported versions)

The change introduces the ability to upload a file as part of executing a management operation. Since the format used is equivalent to a standard multipart/form-data submission, it can therefore be easily forged using an HTML page and a hidden form value, since such pages are not enforced under the same-origin-policy. While the EAP/WildFly versions affected enforce Origin headers, which would mitigate this attack, only WebKit derived browsers (Chrome, Safari, Opera, etc) send them.

The net result is that this vulnerability, when combined with a forgery attack would allow an attacker to make arbitrary changes to the EAP/WildFly instance that the administrator is currently authenticated against, including (but not limited to) altering security policies and network configuration of the instance (assuming that the administrator had such permissions).
Comment 3 JBoss JIRA Server 2015-08-26 15:43:23 EDT
Harald Pehl <hpehl@redhat.com> updated the status of jira HAL-798 to Resolved
Comment 11 Timothy Walsh 2015-10-14 03:28:59 EDT
Acknowledgement:

This issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team.
Comment 12 errata-xmlrpc 2015-10-15 11:28:59 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1907 https://rhn.redhat.com/errata/RHSA-2015-1907.html
Comment 13 errata-xmlrpc 2015-10-15 11:42:50 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1905 https://rhn.redhat.com/errata/RHSA-2015-1905.html
Comment 14 errata-xmlrpc 2015-10-15 11:43:53 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1904 https://rhn.redhat.com/errata/RHSA-2015-1904.html
Comment 15 errata-xmlrpc 2015-10-15 12:00:10 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1906 https://rhn.redhat.com/errata/RHSA-2015-1906.html
Comment 16 JBoss JIRA Server 2015-10-26 23:10:47 EDT
Jason Greene <jason.greene@jboss.com> updated the status of jira WFCORE-594 to Resolved

Note You need to log in before you can comment on or make changes to this bug.