SmallRye Config through versions 1.6.1 includes an API that can allow other code running within the application server to potentially obtain the ClassLoader, bypassing any permissions checks that should have been applied.
Acknowledgments: Name: Darran Lofthouse (Red Hat)
Upstream commit: https://github.com/smallrye/smallrye-config/pull/239/commits/fb0def6f61c09a2a80c9145e4ec6521225cd0b99
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:2058 https://access.redhat.com/errata/RHSA-2020:2058
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:2059 https://access.redhat.com/errata/RHSA-2020:2059
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:2060 https://access.redhat.com/errata/RHSA-2020:2060
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2061 https://access.redhat.com/errata/RHSA-2020:2061
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1729
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:2511 https://access.redhat.com/errata/RHSA-2020:2511
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2515 https://access.redhat.com/errata/RHSA-2020:2515
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:2513 https://access.redhat.com/errata/RHSA-2020:2513
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:2512 https://access.redhat.com/errata/RHSA-2020:2512