Bug 1273046 - (CVE-2015-5304) CVE-2015-5304 JBoss EAP: missing authorization check for Monitor/Deployer/Auditor role when shutting down server
CVE-2015-5304 JBoss EAP: missing authorization check for Monitor/Deployer/Aud...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151202,repor...
: Security
Depends On: 1274141 1274140
Blocks: 1273047 1286524
  Show dependency treegraph
 
Reported: 2015-10-19 08:55 EDT by Martin Prpič
Modified: 2016-02-15 04:33 EST (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Martin Prpič 2015-10-19 08:55:15 EDT
It was found that JBoss EAP did not properly authorize a user performing a shut down. An user with the role Monitor, Deployer, or Auditor could use this flaw to shut down the EAP server, which is an action restricted to admin users.

The following commits introduced this issue:

https://github.com/wildfly/wildfly-core/commit/6e5611b4c6
https://github.com/jbossas/jboss-eap/commit/a905e9a041

The context.getServiceRegistry call, which throws an exception when authorization fails, was replaced with a call to context.authorize, which only returns an authorization result.
Comment 2 Martin Prpič 2015-10-19 09:19:45 EDT
Acknowledgements:

This issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering.
Comment 11 errata-xmlrpc 2015-12-02 11:59:12 EST
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform

Via RHSA-2015:2541 https://rhn.redhat.com/errata/RHSA-2015-2541.html
Comment 12 errata-xmlrpc 2015-12-02 12:19:58 EST
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2539 https://rhn.redhat.com/errata/RHSA-2015-2539.html
Comment 13 errata-xmlrpc 2015-12-02 12:20:11 EST
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:2538 https://rhn.redhat.com/errata/RHSA-2015-2538.html
Comment 14 errata-xmlrpc 2015-12-02 12:35:28 EST
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:2540 https://rhn.redhat.com/errata/RHSA-2015-2540.html
Comment 15 errata-xmlrpc 2015-12-02 12:48:38 EST
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2542 https://rhn.redhat.com/errata/RHSA-2015-2542.html

Note You need to log in before you can comment on or make changes to this bug.