Tested in JBoss EAP 7.2.3 GA : The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server as mentioned in Table 2.1 and 2.2 in our product documentation : https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/security_architecture/index#rbac But it has been observed that these users can perform this operation. They can stop any server running in domain mode : -------------------------------------- [domain@localhost:9990 /] /host=master/server-config=server-one:stop() { "outcome" => "success", "result" => "STOPPING" } [domain@localhost:9990 /] /host=master/server-config=server-one:start() { "outcome" => "failed", "failure-description" => "WFLYCTL0313: Unauthorized to execute operation 'start' for resource '[ (\"host\" => \"master\"), (\"server-config\" => \"server-one\") ]' -- \"WFLYCTL0332: Permission denied\"", "rolled-back" => true } ------------------------------------- There users are allowed "stop" the server but they cannot "start" it. Ideally they should not be able to stop or start any server.
I have tested it in EAP 6.4.22 and it is working as expected. EAP 6 is not affected : ----------------------------- [domain@localhost:9999 /] /host=master/server-config=server-one:stop() { "outcome" => "failed", "failure-description" => "JBAS013456: Unauthorized to execute operation 'stop' for resource '[ (\"host\" => \"master\"), (\"server-config\" => \"server-one\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true } [domain@localhost:9999 /] /host=master/server-config=server-one:start() { "outcome" => "failed", "failure-description" => "JBAS013456: Unauthorized to execute operation 'start' for resource '[ (\"host\" => \"master\"), (\"server-config\" => \"server-one\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true } -----------------------------
JDV 6 is not affected : ------------------- [domain@localhost:9999 /] /host=master/server-config=server-one:stop() { "outcome" => "failed", "failure-description" => "JBAS013456: Unauthorized to execute operation 'stop' for resource '[ (\"host\" => \"master\"), (\"server-config\" => \"server-one\") ]' -- \"JBAS013475: Permission denied\"", "rolled-back" => true } --------------------
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:3083 https://access.redhat.com/errata/RHSA-2019:3083
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2019:3082 https://access.redhat.com/errata/RHSA-2019:3082
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14838
Acknowledgments: Name: Fábio Magalhães de Andrade (Sonda Ativas), Leonard Lunardi (UnimedBH), Juliano de Castro Santos (UnimedBH)
External References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14838
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:4018 https://access.redhat.com/errata/RHSA-2019:4018
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2019:4020 https://access.redhat.com/errata/RHSA-2019:4020
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:4021 https://access.redhat.com/errata/RHSA-2019:4021
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:4019 https://access.redhat.com/errata/RHSA-2019:4019
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2019:4041 https://access.redhat.com/errata/RHSA-2019:4041
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2019:4040 https://access.redhat.com/errata/RHSA-2019:4040
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2019:4042 https://access.redhat.com/errata/RHSA-2019:4042
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2019:4045 https://access.redhat.com/errata/RHSA-2019:4045
This issue has been addressed in the following products: Red Hat Data Grid 7.3.4 Via RHSA-2020:0728 https://access.redhat.com/errata/RHSA-2020:0728
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565