Bug 969924 - (CVE-2013-2133) CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws handlers
CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws handlers
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20131204,reported=2...
: Security
Depends On: 969978 985798 985799 985801 985802 985803 988615 1048077 1050458 1050459 1050460 1050461 1050462 1050463 1050464
Blocks: 1012704 1012753 1082938 1210482
  Show dependency treegraph
 
Reported: 2013-06-03 00:28 EDT by Arun Babu Neelicattu
Modified: 2015-12-14 14:24 EST (History)
16 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-14 14:24:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Arun Babu Neelicattu 2013-06-03 00:28:35 EDT
A vulnerability was identified in the way in which method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers and only class-level restrictions were applied. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler that they are not authorized to.
Comment 5 David Jorm 2013-10-20 20:30:25 EDT
Acknowledgements:

This issue was discovered by Richard Opalka and Arun Neelicattu of Red Hat.
Comment 6 errata-xmlrpc 2013-12-04 12:24:40 EST
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.0

Via RHSA-2013:1784 https://rhn.redhat.com/errata/RHSA-2013-1784.html
Comment 7 errata-xmlrpc 2013-12-04 13:10:30 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:1786 https://rhn.redhat.com/errata/RHSA-2013-1786.html
Comment 8 errata-xmlrpc 2013-12-04 13:16:05 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:1785 https://rhn.redhat.com/errata/RHSA-2013-1785.html
Comment 19 Arun Babu Neelicattu 2015-02-10 09:23:10 EST
Statement:

Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 20 Arun Babu Neelicattu 2015-02-10 09:34:36 EST
Upstream Issue:

https://issues.jboss.org/browse/WFLY-308

Upstream Fix:

https://github.com/wildfly/wildfly/pull/5234
Comment 22 errata-xmlrpc 2015-04-16 12:03:54 EDT
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
Comment 23 errata-xmlrpc 2015-04-16 12:08:30 EDT
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
Comment 24 errata-xmlrpc 2015-05-14 11:15:01 EDT
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html

Note You need to log in before you can comment on or make changes to this bug.