Bug 802622 (CVE-2012-1167) - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm
Summary: CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignor...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-1167
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 804894 804895 804897
Blocks: 802628
TreeView+ depends on / blocked
 
Reported: 2012-03-13 05:41 UTC by Arun Babu Neelicattu
Modified: 2019-09-29 12:51 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-05 23:42:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1013 0 normal SHIPPED_LIVE Moderate: jbossas security update 2012-06-19 23:23:31 UTC
Red Hat Product Errata RHSA-2012:1014 0 normal SHIPPED_LIVE Moderate: jbossas security update 2012-06-19 23:33:58 UTC
Red Hat Product Errata RHSA-2012:1026 0 normal SHIPPED_LIVE Important: jbossas and jboss-naming security update 2012-06-20 20:02:33 UTC
Red Hat Product Errata RHSA-2012:1027 0 normal SHIPPED_LIVE Important: jbossas-web and jboss-naming security update 2012-06-20 20:02:18 UTC
Red Hat Product Errata RHSA-2012:1232 0 normal SHIPPED_LIVE Important: JBoss Enterprise Portal Platform 5.2.2 update 2012-09-05 20:25:36 UTC

Description Arun Babu Neelicattu 2012-03-13 05:41:02 UTC 
When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml <security-constraint> tag.
Comment 6 David Jorm 2012-06-12 23:13:28 UTC 
This flaw is resolved in EAP 6.0.0 GA.
Comment 7 errata-xmlrpc 2012-06-19 19:24:20 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:1013 https://rhn.redhat.com/errata/RHSA-2012-1013.html
Comment 8 errata-xmlrpc 2012-06-19 19:34:34 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:1014 https://rhn.redhat.com/errata/RHSA-2012-1014.html
Comment 9 errata-xmlrpc 2012-06-20 16:05:47 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:1027 https://rhn.redhat.com/errata/RHSA-2012-1027.html
Comment 10 errata-xmlrpc 2012-06-20 16:05:54 UTC 
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:1026 https://rhn.redhat.com/errata/RHSA-2012-1026.html
Comment 11 David Jorm 2012-08-10 04:00:50 UTC 
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.0

Via RHSA-2012:1028 https://rhn.redhat.com/errata/RHSA-2012-1028.html
Comment 12 David Jorm 2012-08-10 04:03:26 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2012:1125 https://rhn.redhat.com/errata/RHSA-2012-1125.html
Comment 14 errata-xmlrpc 2012-09-05 16:27:17 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html
Note You need to log in before you can comment on or make changes to this bug.