Bug 2060929 (CVE-2022-0866) - CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled
Summary: CVE-2022-0866 wildfly: Wildfly management of EJB Session context returns wron...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-0866
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2051641
TreeView+ depends on / blocked
 
Reported: 2022-03-04 15:30 UTC by Patrick Del Bello
Modified: 2024-06-04 17:56 UTC (History)
87 users (show)

Fixed In Version: wildfly 26.1.1.Final, wildfly 27.0.0.Alpha2
Clone Of:
Environment:
Last Closed: 2022-06-06 19:50:37 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:4918 0 None None None 2022-06-06 15:52:32 UTC
Red Hat Product Errata RHSA-2022:4919 0 None None None 2022-06-06 15:58:57 UTC
Red Hat Product Errata RHSA-2022:4922 0 None None None 2022-06-06 15:12:18 UTC
Red Hat Product Errata RHSA-2022:6782 0 None None None 2022-10-04 15:38:08 UTC
Red Hat Product Errata RHSA-2022:6783 0 None None None 2022-10-04 15:41:58 UTC
Red Hat Product Errata RHSA-2022:6787 0 None None None 2022-10-04 15:53:56 UTC
Red Hat Product Errata RHSA-2022:7409 0 None None None 2022-11-03 14:51:51 UTC
Red Hat Product Errata RHSA-2022:7410 0 None None None 2022-11-03 14:51:30 UTC
Red Hat Product Errata RHSA-2022:7411 0 None None None 2022-11-03 14:52:37 UTC
Red Hat Product Errata RHSA-2022:7417 0 None None None 2022-11-03 15:21:48 UTC

Description Patrick Del Bello 2022-03-04 15:30:21 UTC 
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the
RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means that in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity.
Comment 3 errata-xmlrpc 2022-06-06 15:12:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2022:4922 https://access.redhat.com/errata/RHSA-2022:4922
Comment 4 errata-xmlrpc 2022-06-06 15:52:27 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:4918 https://access.redhat.com/errata/RHSA-2022:4918
Comment 5 errata-xmlrpc 2022-06-06 15:58:53 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:4919 https://access.redhat.com/errata/RHSA-2022:4919
Comment 6 Product Security DevOps Team 2022-06-06 19:50:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-0866
Comment 8 errata-xmlrpc 2022-10-04 15:38:01 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:6782 https://access.redhat.com/errata/RHSA-2022:6782
Comment 9 errata-xmlrpc 2022-10-04 15:41:51 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:6783 https://access.redhat.com/errata/RHSA-2022:6783
Comment 10 errata-xmlrpc 2022-10-04 15:53:49 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2022:6787 https://access.redhat.com/errata/RHSA-2022:6787
Comment 11 errata-xmlrpc 2022-11-03 14:51:26 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2022:7410 https://access.redhat.com/errata/RHSA-2022:7410
Comment 12 errata-xmlrpc 2022-11-03 14:51:47 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2022:7409 https://access.redhat.com/errata/RHSA-2022:7409
Comment 13 errata-xmlrpc 2022-11-03 14:52:33 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2022:7411 https://access.redhat.com/errata/RHSA-2022:7411
Comment 14 errata-xmlrpc 2022-11-03 15:17:23 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6.1

Via RHSA-2022:7417 https://access.redhat.com/errata/RHSA-2022:7417
Note You need to log in before you can comment on or make changes to this bug.