870868 – (CVE-2012-4549) CVE-2012-4549 JBoss AS: EJB authorization succeeds for any role when allowed roles list is empty

Bug 870868 (CVE-2012-4549) - CVE-2012-4549 JBoss AS: EJB authorization succeeds for any role when allowed roles list is empty

Summary: CVE-2012-4549 JBoss AS: EJB authorization succeeds for any role when allowed ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-4549
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	876438 881519
TreeView+	depends on / blocked

Reported:	2012-10-29 04:03 UTC by Arun Babu Neelicattu
Modified:	2023-05-12 15:06 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-12-19 01:12:47 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBPAPP-10295	Blocker	Closed	CVE-2012-4549 - JBoss AS: EJB authorization succeeds for any role when allowed roles list is empty	2018-01-31 19:08:36 UTC
Red Hat Product Errata	RHSA-2012:1591	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 6.0.1 update	2012-12-19 03:19:29 UTC
Red Hat Product Errata	RHSA-2012:1592	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 6.0.1 update	2012-12-19 03:31:01 UTC
Red Hat Product Errata	RHSA-2012:1594	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 6.0.1 update	2012-12-19 03:52:56 UTC

Description Arun Babu Neelicattu 2012-10-29 04:03:11 UTC

When there are no allowed roles for an EJB method invocation, the invocation should be denied for all users. The processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all method invocations to proceed when the list of allowed roles is empty.

Comment 2 David Jorm 2012-10-29 04:13:49 UTC

Acknowledgements:

This issue was discovered by Arun Neelicattu of the Red Hat Security Response Team.

Comment 24 errata-xmlrpc 2012-12-18 22:21:55 UTC

This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html

Comment 25 errata-xmlrpc 2012-12-18 22:33:39 UTC

This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html

Comment 26 errata-xmlrpc 2012-12-18 22:53:34 UTC

This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.0.1

Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html

Comment 27 David Jorm 2013-05-20 07:49:09 UTC

Statement:

This issue did not affect JBoss Enterprise Application Platform versions 4.x and 5.x.

Note You need to log in before you can comment on or make changes to this bug.