When using multi-user authentication provided by the "allow-multiple-users" option for the datasource's connection pool together with a security domain, the credentials provided as arguments to the getConnection(uid,pwd) function are ignored. This means that a valid connection will be returned for an invalid credential. This could also mean that, provided the correct subject, a datasource connection can be obtained that which might belong to a privileged user. A fix for this issue is already available up-stream. The up-stream fix is located at [jira JBJCA-864].
Acknowledgements: This issue was discovered by Arun Neelicattu of the Red Hat Security Response Team.
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html