Bug 802622 (CVE-2012-1167) - CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignoreBaseDecision on JBossWebRealm
Summary: CVE-2012-1167 JBoss: authentication bypass when running under JACC with ignor...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-1167
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20120612,repor...
Depends On: 804894 804895 804897
Blocks: 802628
TreeView+ depends on / blocked
 
Reported: 2012-03-13 05:41 UTC by Arun Babu Neelicattu
Modified: 2019-06-08 19:04 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-05 23:42:54 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1013 normal SHIPPED_LIVE Moderate: jbossas security update 2012-06-19 23:23:31 UTC
Red Hat Product Errata RHSA-2012:1014 normal SHIPPED_LIVE Moderate: jbossas security update 2012-06-19 23:33:58 UTC
Red Hat Product Errata RHSA-2012:1026 normal SHIPPED_LIVE Important: jbossas and jboss-naming security update 2012-06-20 20:02:33 UTC
Red Hat Product Errata RHSA-2012:1027 normal SHIPPED_LIVE Important: jbossas-web and jboss-naming security update 2012-06-20 20:02:18 UTC
Red Hat Product Errata RHSA-2012:1232 normal SHIPPED_LIVE Important: JBoss Enterprise Portal Platform 5.2.2 update 2012-09-05 20:25:36 UTC

Description Arun Babu Neelicattu 2012-03-13 05:41:02 UTC
When a JBoss server is configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked and can permit access to users without checking their roles. If the ignoreBaseDecision property is set to true on JBossWebRealm, the web authorization process is handled exclusively by JBossAuthorizationEngine, without any input from JBoss Web. This allows any valid user to access an application, without needing to be assigned the role specified in the application's web.xml <security-constraint> tag.

Comment 6 David Jorm 2012-06-12 23:13:28 UTC
This flaw is resolved in EAP 6.0.0 GA.

Comment 7 errata-xmlrpc 2012-06-19 19:24:20 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:1013 https://rhn.redhat.com/errata/RHSA-2012-1013.html

Comment 8 errata-xmlrpc 2012-06-19 19:34:34 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:1014 https://rhn.redhat.com/errata/RHSA-2012-1014.html

Comment 9 errata-xmlrpc 2012-06-20 16:05:47 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2012:1027 https://rhn.redhat.com/errata/RHSA-2012-1027.html

Comment 10 errata-xmlrpc 2012-06-20 16:05:54 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2012:1026 https://rhn.redhat.com/errata/RHSA-2012-1026.html

Comment 11 David Jorm 2012-08-10 04:00:50 UTC
This issue has been addressed in following products:

  JBoss Enterprise BRMS Platform 5.3.0

Via RHSA-2012:1028 https://rhn.redhat.com/errata/RHSA-2012-1028.html

Comment 12 David Jorm 2012-08-10 04:03:26 UTC
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.0

Via RHSA-2012:1125 https://rhn.redhat.com/errata/RHSA-2012-1125.html

Comment 14 errata-xmlrpc 2012-09-05 16:27:17 UTC
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html


Note You need to log in before you can comment on or make changes to this bug.