Bug 1252885 (CVE-2015-5188, WFLY-2913) - CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console
Summary: CVE-2015-5188 JBoss EAP: CSRF vulnerability in EAP & WildFly Web Console
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5188, WFLY-2913
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1253674
Blocks: 1252886 1271191
TreeView+ depends on / blocked
 
Reported: 2015-08-12 12:45 UTC by Vasyl Kaigorodov
Modified: 2023-05-13 00:20 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that when uploading a file using a multipart/form-data submission to the EAP Web Console, the Console was vulnerable to Cross-Site Request Forgery (CSRF). This meant that an attacker could use the flaw together with a forgery attack to make changes to an authenticated instance.
Clone Of:
Environment:
Last Closed: 2021-10-21 00:47:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker HAL-798 0 Critical Resolved Update HAL to use XHR for uploads 2019-06-20 12:43:26 UTC
Red Hat Issue Tracker WFCORE-594 0 Blocker Resolved CSRF vulnerability in the WFLY-2913 solution 2019-06-20 12:43:26 UTC
Red Hat Product Errata RHSA-2015:1904 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update 2015-10-15 19:40:00 UTC
Red Hat Product Errata RHSA-2015:1905 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update 2015-10-15 19:38:43 UTC
Red Hat Product Errata RHSA-2015:1906 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.4 update 2015-10-15 19:58:56 UTC
Red Hat Product Errata RHSA-2015:1907 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.4 jboss-ec2-eap update 2015-10-15 19:28:38 UTC

Description Vasyl Kaigorodov 2015-08-12 12:45:19 UTC 
Jason Greene from Red Hat reported that a CSRF vulnerability was introduced with this change:

https://github.com/wildfly/wildfly/pull/5904

and backported here:

https://github.com/jbossas/jboss-eap/pull/932

Affected Versions include:
EAP 6.3.x
EAP 6.4.x
WildFly 8.1.0
WildFly 8.2.0
WildFly 9.0.x

Known Affected Browsers:
Internet Explorer (all supported versions)
FireFox (all supported versions)

The change introduces the ability to upload a file as part of executing a management operation. Since the format used is equivalent to a standard multipart/form-data submission, it can therefore be easily forged using an HTML page and a hidden form value, since such pages are not enforced under the same-origin-policy. While the EAP/WildFly versions affected enforce Origin headers, which would mitigate this attack, only WebKit derived browsers (Chrome, Safari, Opera, etc) send them.

The net result is that this vulnerability, when combined with a forgery attack would allow an attacker to make arbitrary changes to the EAP/WildFly instance that the administrator is currently authenticated against, including (but not limited to) altering security policies and network configuration of the instance (assuming that the administrator had such permissions).
Comment 3 JBoss JIRA Server 2015-08-26 19:43:23 UTC 
Harald Pehl <hpehl> updated the status of jira HAL-798 to Resolved
Comment 11 Timothy Walsh 2015-10-14 07:28:59 UTC 
Acknowledgement:

This issue was discovered by Jason Greene of the Red Hat Middleware Engineering Team.
Comment 12 errata-xmlrpc 2015-10-15 15:28:59 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1907 https://rhn.redhat.com/errata/RHSA-2015-1907.html
Comment 13 errata-xmlrpc 2015-10-15 15:42:50 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:1905 https://rhn.redhat.com/errata/RHSA-2015-1905.html
Comment 14 errata-xmlrpc 2015-10-15 15:43:53 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:1904 https://rhn.redhat.com/errata/RHSA-2015-1904.html
Comment 15 errata-xmlrpc 2015-10-15 16:00:10 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:1906 https://rhn.redhat.com/errata/RHSA-2015-1906.html
Comment 16 JBoss JIRA Server 2015-10-27 03:10:47 UTC 
Jason Greene <jason.greene> updated the status of jira WFCORE-594 to Resolved
Note You need to log in before you can comment on or make changes to this bug.