Bug 1252885 (CVE-2015-5188, WFLY-2913) - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console
Summary: CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console
Status: NEW
Alias: CVE-2015-5188, WFLY-2913
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20151015,repor...
Keywords: Security
Depends On: 1253674
Blocks: 1252886 1271191
TreeView+ depends on / blocked
 
Reported: 2015-08-12 12:45 UTC by Vasyl Kaigorodov
Modified: 2018-03-05 15:34 UTC (History)
23 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker HAL-798 Critical Resolved Update HAL to use XHR for uploads 2018-03-01 16:16 UTC
JBoss Issue Tracker WFCORE-594 Blocker Resolved CSRF vulnerability in the WFLY-2913 solution 2018-03-01 16:16 UTC
Red Hat Product Errata RHSA-2015:1904 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update 2015-10-15 19:40:00 UTC
Red Hat Product Errata RHSA-2015:1905 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update 2015-10-15 19:38:43 UTC
Red Hat Product Errata RHSA-2015:1906 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update 2015-10-15 19:58:56 UTC
Red Hat Product Errata RHSA-2015:1907 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.4 jboss-ec2-eap update 2015-10-15 19:28:38 UTC

Description Vasyl Kaigorodov 2015-08-12 12:45:19 UTC
Jason Greene from Red Hat reported that a CSRF vulnerability was introduced with this change:

https://github.com/wildfly/wildfly/pull/5904

and backported here:

https://github.com/jbossas/jboss-eap/pull/932

Affected Versions include:
EAP 6.3.x
EAP 6.4.x
WildFly 8.1.0
WildFly 8.2.0
WildFly 9.0.x

Known Affected Browsers:
Internet Explorer (all supported versions)
FireFox (all supported versions)

The change introduces the ability to upload a file as part of executing a management operation. Since the format used is equivalent to a standard multipart/form-data submission, it can therefore be easily forged using an HTML page and a hidden form value, since such pages are not enforced under the same-origin-policy. While the EAP/WildFly versions affected enforce Origin headers, which would mitigate this attack, only WebKit derived browsers (Chrome, Safari, Opera, etc) send them.

The net result is that this vulnerability, when combined with a forgery attack would allow an attacker to make arbitrary changes to the EAP/WildFly instance that the administrator is currently authenticated against, including (but not limited to) altering security policies and network configuration of the instance (assuming that the administrator had such permissions).

Comment 3 JBoss JIRA Server 2015-08-26 19:43:23 UTC
Harald Pehl <hpehl@redhat.com> updated the status of jira HAL-798 to Resolved

Comment 11 Timothy Walsh 2015-10-14 07:28:59 UTC
Acknowledgement:

This issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team.

Comment 12 errata-xmlrpc 2015-10-15 15:28:59 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1907 https://rhn.redhat.com/errata/RHSA-2015-1907.html

Comment 13 errata-xmlrpc 2015-10-15 15:42:50 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1905 https://rhn.redhat.com/errata/RHSA-2015-1905.html

Comment 14 errata-xmlrpc 2015-10-15 15:43:53 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1904 https://rhn.redhat.com/errata/RHSA-2015-1904.html

Comment 15 errata-xmlrpc 2015-10-15 16:00:10 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1906 https://rhn.redhat.com/errata/RHSA-2015-1906.html

Comment 16 JBoss JIRA Server 2015-10-27 03:10:47 UTC
Jason Greene <jason.greene@jboss.com> updated the status of jira WFCORE-594 to Resolved


Note You need to log in before you can comment on or make changes to this bug.