Bug 802622 - (CVE-2012-1167) CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm
CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignor...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120612,repor...
: Security
Depends On: 804894 804895 804897
Blocks: 802628
  Show dependency treegraph
 
Reported: 2012-03-13 01:41 EDT by Arun Babu Neelicattu
Modified: 2015-02-15 16:51 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-05 19:42:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Arun Babu Neelicattu 2012-03-13 01:41:02 EDT
When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml <security-constraint> tag.
Comment 6 David Jorm 2012-06-12 19:13:28 EDT
This flaw is resolved in EAP 6.0.0 GA.
Comment 7 errata-xmlrpc 2012-06-19 15:24:20 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:1013 https://rhn.redhat.com/errata/RHSA-2012-1013.html
Comment 8 errata-xmlrpc 2012-06-19 15:34:34 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:1014 https://rhn.redhat.com/errata/RHSA-2012-1014.html
Comment 9 errata-xmlrpc 2012-06-20 12:05:47 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:1027 https://rhn.redhat.com/errata/RHSA-2012-1027.html
Comment 10 errata-xmlrpc 2012-06-20 12:05:54 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:1026 https://rhn.redhat.com/errata/RHSA-2012-1026.html
Comment 11 David Jorm 2012-08-10 00:00:50 EDT
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.0

Via RHSA-2012:1028 https://rhn.redhat.com/errata/RHSA-2012-1028.html
Comment 12 David Jorm 2012-08-10 00:03:26 EDT
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2012:1125 https://rhn.redhat.com/errata/RHSA-2012-1125.html
Comment 14 errata-xmlrpc 2012-09-05 12:27:17 EDT
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html

Note You need to log in before you can comment on or make changes to this bug.