1380852 – (CVE-2016-7061) CVE-2016-7061 EAP: Sensitive data can be exposed at the server level in domain mode

Bug 1380852 (CVE-2016-7061) - CVE-2016-7061 EAP: Sensitive data can be exposed at the server level in domain mode

Summary: CVE-2016-7061 EAP: Sensitive data can be exposed at the server level in domai...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-7061
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1381324 1381325
Blocks:	1392081 1413131 1520314
TreeView+	depends on / blocked

Reported:	2016-09-30 19:10 UTC by Bharti Kundal
Modified:	2021-10-21 11:47 UTC (History)
CC List:	20 users (show)
Fixed In Version:	eap 7.0.4
Doc Type:	If docs needed, set a value
Doc Text:	It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information.
Clone Of:
Environment:
Last Closed:	2021-10-21 11:47:30 UTC
Embargoed:
Flags:	bkundal: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0170	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise Application Platform 7.0.4 on RHEL 6	2017-01-20 20:58:37 UTC
Red Hat Product Errata	RHSA-2017:0171	normal	SHIPPED_LIVE	Moderate: JBoss Enterprise Application Platform 7.0.4 for RHEL 7	2017-01-20 20:58:12 UTC
Red Hat Product Errata	RHSA-2017:0172	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform 7.0.4	2017-01-19 01:40:13 UTC
Red Hat Product Errata	RHSA-2017:0173	normal	SHIPPED_LIVE	Moderate: eap7-jboss-ec2-eap security update	2017-01-20 21:06:12 UTC
Red Hat Product Errata	RHSA-2017:0244	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-02-03 01:39:38 UTC
Red Hat Product Errata	RHSA-2017:0245	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-02-03 01:36:51 UTC
Red Hat Product Errata	RHSA-2017:0246	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform security update	2017-02-03 01:33:58 UTC
Red Hat Product Errata	RHSA-2017:0247	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform security update	2017-05-03 01:58:19 UTC
Red Hat Product Errata	RHSA-2017:0250	normal	SHIPPED_LIVE	Important: jboss-ec2-eap security, bug fix, and enhancement update	2017-02-03 02:03:53 UTC
Red Hat Product Errata	RHSA-2017:3454	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update	2017-12-13 22:48:09 UTC
Red Hat Product Errata	RHSA-2017:3455	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update	2017-12-13 22:57:25 UTC
Red Hat Product Errata	RHSA-2017:3456	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update	2017-12-13 22:31:03 UTC
Red Hat Product Errata	RHSA-2017:3458	normal	SHIPPED_LIVE	Important: eap7-jboss-ec2-eap security update	2017-12-13 23:26:13 UTC

Description Bharti Kundal 2016-09-30 19:10:50 UTC

Sensitive data can be exposed at the server level through CLI in domain mode

Comment 1 Bharti Kundal 2016-09-30 20:09:25 UTC

When configuring RBAC and marking information as sensitive,the users under Monitor role are able to view it.The following are the details:

<security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                   
                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                </authentication>
                <authorization map-groups-to-roles="false">
                    <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
                </authorization>                
            </security-realm>

  <management>
        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="adminuser"/>
                    </include>
                </role>
                <role name="Monitor">
                    <include>
                        <user name="rbactest"/>
                   </include>
                </role>
            </role-mapping>
<constraints>
<sensitive-classifications>
<sensitive-classification type="core"
name="socket-config" requires-read="true"/>
 </sensitive-classifications>
</constraints>
</access-control>
    </management>


With user rabactest under monitor role ,the socket-bindidng read reseource fails:

[bkundal@dhcp193-167 bin]$ ./jboss-cli.sh --connect 
Authenticating against security realm: ManagementRealm
Username: rbactest
Password: 

[domain@localhost:9999 /] cd socket-binding-group=ha-sockets
[domain@localhost:9999 socket-binding-group=ha-sockets] /socket-binding-group=ha-sockets/socket-binding=http:read-resource
{
    "outcome" => "failed",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'read-resource' for resource '[
    (\"socket-binding-group\" => \"ha-sockets\"),
    (\"socket-binding\" => \"http\")
]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
[domain@localhost:9999 socket-binding-group=ha-sockets]

but this socket-config can be viewed at the server level

domain@localhost:9999 socket-binding-group=ha-sockets] cd /host=master/
[domain@localhost:9999 host=master] cd server=server-one
[domain@localhost:9999 server=server-one] cd socket-binding-group=full-sockets
[domain@localhost:9999 socket-binding-group=full-sockets] cd socket-binding=http
[domain@localhost:9999 socket-binding=http] ls -l
ATTRIBUTE         VALUE     TYPE    
bound             true      BOOLEAN 
bound-address     127.0.0.1 STRING  
bound-port        8080      INT     
client-mappings   undefined LIST    
fixed-port        false     BOOLEAN 
interface         undefined STRING  
multicast-address undefined STRING  
multicast-port    undefined INT     
name              http      STRING  
port              8080      INT     
[domain@localhost:9999 socket-binding=http]

Comment 7 errata-xmlrpc 2017-01-18 20:40:40 UTC

This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 7.0.4

Via RHSA-2017:0172 https://rhn.redhat.com/errata/RHSA-2017-0172.html

Comment 8 errata-xmlrpc 2017-01-18 21:54:16 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:0171 https://rhn.redhat.com/errata/RHSA-2017-0171.html

Comment 9 errata-xmlrpc 2017-01-18 21:54:39 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:0170 https://rhn.redhat.com/errata/RHSA-2017-0170.html

Comment 10 errata-xmlrpc 2017-01-18 22:12:42 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:0173 https://rhn.redhat.com/errata/RHSA-2017-0173.html

Comment 17 errata-xmlrpc 2017-02-02 20:23:43 UTC

This issue has been addressed in the following products:



Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html

Comment 18 errata-xmlrpc 2017-02-02 20:44:23 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html

Comment 19 errata-xmlrpc 2017-02-02 20:45:33 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html

Comment 20 errata-xmlrpc 2017-02-02 20:46:45 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0244 https://rhn.redhat.com/errata/RHSA-2017-0244.html

Comment 21 errata-xmlrpc 2017-02-02 21:04:13 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0250 https://rhn.redhat.com/errata/RHSA-2017-0250.html

Comment 22 errata-xmlrpc 2017-12-13 17:33:51 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456

Comment 23 errata-xmlrpc 2017-12-13 18:20:20 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454

Comment 24 errata-xmlrpc 2017-12-13 18:41:44 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455

Comment 25 errata-xmlrpc 2017-12-13 18:47:41 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458

Note You need to log in before you can comment on or make changes to this bug.

bbaranow
bmaxwell
cdewolf
chazlett
csutherl
dandread
darran.lofthouse
dosoudil
ehugonne
jason.greene
jawilson
jshepherd
lgao
myarboro
pslavice
rnetuka
rsvoboda
security-response-team
twalsh
vtunka