Bug 1897618 (CVE-2020-25711) - CVE-2020-25711 infinispan: authorization check missing for server management operations
Summary: CVE-2020-25711 infinispan: authorization check missing for server management ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25711
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1897606
TreeView+ depends on / blocked
 
Reported: 2020-11-13 16:20 UTC by Paramvir jindal
Modified: 2021-02-16 18:55 UTC (History)
46 users (show)

Fixed In Version: Infinispan 11.0.6 Final
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. The highest threat from this vulnerability is to integrity and system availability.
Clone Of:
Environment:
Last Closed: 2021-02-08 14:41:43 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0433 0 None None None 2021-02-08 12:55:04 UTC

Description Paramvir jindal 2020-11-13 16:20:39 UTC 
Some server management operations don't check authorization permissions so, when authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. 

The following ops are affected: 
* server stop 
* cluster stop 
* server report 
* cache ignore list manipulation 

This vulnerability affects the org.infinispan:infinispan-server-runtime artifact for all versions up to 11.0.5.Final.

https://issues.redhat.com/browse/JDG-4194
Comment 5 Paramvir jindal 2020-11-25 13:54:03 UTC 
Acknowledgments:

Name: Tristan Tarrant (Red Hat)
Comment 6 Chess Hazlett 2021-02-03 19:11:45 UTC 
Mitigation:

There is currently no known mitigation for this issue.
Comment 7 errata-xmlrpc 2021-02-08 12:55:01 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.1.1

Via RHSA-2021:0433 https://access.redhat.com/errata/RHSA-2021:0433
Comment 8 Product Security DevOps Team 2021-02-08 14:41:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25711
Note You need to log in before you can comment on or make changes to this bug.