Bug 1273046 (CVE-2015-5304) - CVE-2015-5304 JBoss EAP: missing authorization check for Monitor/Deployer/Auditor role when shutting down server
Summary: CVE-2015-5304 JBoss EAP: missing authorization check for Monitor/Deployer/Aud...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5304
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1274140 1274141
Blocks: 1273047 1286524
TreeView+ depends on / blocked
 
Reported: 2015-10-19 12:55 UTC by Martin Prpič
Modified: 2023-05-12 16:46 UTC (History)
19 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that JBoss EAP did not properly authorize a user performing a shut down. A remote user with the Monitor, Deployer, or Auditor role could use this flaw to shut down the EAP server, which is an action restricted to admin users.
Clone Of:
Environment:
Last Closed: 2021-10-21 00:48:00 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2538 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 22:16:00 UTC
Red Hat Product Errata RHSA-2015:2539 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 22:14:48 UTC
Red Hat Product Errata RHSA-2015:2540 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 22:33:17 UTC
Red Hat Product Errata RHSA-2015:2541 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 update 2015-12-02 21:58:57 UTC
Red Hat Product Errata RHSA-2015:2542 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.5 jboss-ec2-eap update 2015-12-02 22:48:07 UTC

Description Martin Prpič 2015-10-19 12:55:15 UTC 
It was found that JBoss EAP did not properly authorize a user performing a shut down. An user with the role Monitor, Deployer, or Auditor could use this flaw to shut down the EAP server, which is an action restricted to admin users.

The following commits introduced this issue:

https://github.com/wildfly/wildfly-core/commit/6e5611b4c6
https://github.com/jbossas/jboss-eap/commit/a905e9a041

The context.getServiceRegistry call, which throws an exception when authorization fails, was replaced with a call to context.authorize, which only returns an authorization result.
Comment 2 Martin Prpič 2015-10-19 13:19:45 UTC 
Acknowledgements:

This issue was discovered by Ladislav Thon of Red Hat Middleware Quality Engineering.
Comment 11 errata-xmlrpc 2015-12-02 16:59:12 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform

Via RHSA-2015:2541 https://rhn.redhat.com/errata/RHSA-2015-2541.html
Comment 12 errata-xmlrpc 2015-12-02 17:19:58 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2539 https://rhn.redhat.com/errata/RHSA-2015-2539.html
Comment 13 errata-xmlrpc 2015-12-02 17:20:11 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:2538 https://rhn.redhat.com/errata/RHSA-2015-2538.html
Comment 14 errata-xmlrpc 2015-12-02 17:35:28 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:2540 https://rhn.redhat.com/errata/RHSA-2015-2540.html
Comment 15 errata-xmlrpc 2015-12-02 17:48:38 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:2542 https://rhn.redhat.com/errata/RHSA-2015-2542.html
Note You need to log in before you can comment on or make changes to this bug.