JBoss EAP has a vulnerability that allows local users who are able to execute init.d script to terminate arbitrary process on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
Acknowledgments: Name: Daniel Le Gall (SCRT Information Security)
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:1106 https://access.redhat.com/errata/RHSA-2019:1106
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:1107 https://access.redhat.com/errata/RHSA-2019:1107
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:1108 https://access.redhat.com/errata/RHSA-2019:1108
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3.1 zip Via RHSA-2019:1140 https://access.redhat.com/errata/RHSA-2019:1140
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
JDG 7.3.2 (latest version as of today) is affected. Creating Tracker.
This issue has been addressed in the following products: Red Hat Fuse 7.4.0 Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413
This issue has been addressed in the following products: Red Hat Data Grid 7.3.3 Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565