Bug 969924 (CVE-2013-2133) - CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws handlers
Summary: CVE-2013-2133 JBoss WS: EJB3 role restrictions are not applied to jaxws handlers
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-2133
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 969978 985798 985799 985801 985802 985803 988615 1048077 1050458 1050459 1050460 1050461 1050462 1050463 1050464
Blocks: 1012704 1012753 1082938 1210482
TreeView+ depends on / blocked
 
Reported: 2013-06-03 04:28 UTC by Arun Babu Neelicattu
Modified: 2023-05-12 20:35 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers, and only class-level restrictions were applied. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler which they were not authorized to invoke.
Clone Of:
Environment:
Last Closed: 2015-12-14 19:24:51 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1102317 0 low CLOSED CVE-2014-3464 JBoss WS: Incomplete fix for CVE-2013-2133 2023-05-12 16:02:46 UTC
Red Hat Product Errata RHSA-2013:1784 0 normal SHIPPED_LIVE Low: Red Hat JBoss Enterprise Application Platform 6.2.0 update 2013-12-04 22:23:59 UTC
Red Hat Product Errata RHSA-2013:1785 0 normal SHIPPED_LIVE Low: Red Hat JBoss Enterprise Application Platform 6.2.0 update 2013-12-04 23:08:46 UTC
Red Hat Product Errata RHSA-2013:1786 0 normal SHIPPED_LIVE Low: Red Hat JBoss Enterprise Application Platform 6.2.0 update 2013-12-04 23:04:52 UTC
Red Hat Product Errata RHSA-2015:0850 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.1.0 update 2015-04-16 20:02:45 UTC
Red Hat Product Errata RHSA-2015:0851 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.1.0 update 2015-04-16 20:02:37 UTC
Red Hat Product Errata RHSA-2015:1009 0 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Internal Links: 1102317

Description Arun Babu Neelicattu 2013-06-03 04:28:35 UTC 
A vulnerability was identified in the way in which method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers and only class-level restrictions were applied. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler that they are not authorized to.
Comment 5 David Jorm 2013-10-21 00:30:25 UTC 
Acknowledgements:

This issue was discovered by Richard Opalka and Arun Neelicattu of Red Hat.
Comment 6 errata-xmlrpc 2013-12-04 17:24:40 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.0

Via RHSA-2013:1784 https://rhn.redhat.com/errata/RHSA-2013-1784.html
Comment 7 errata-xmlrpc 2013-12-04 18:10:30 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:1786 https://rhn.redhat.com/errata/RHSA-2013-1786.html
Comment 8 errata-xmlrpc 2013-12-04 18:16:05 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:1785 https://rhn.redhat.com/errata/RHSA-2013-1785.html
Comment 19 Arun Babu Neelicattu 2015-02-10 14:23:10 UTC 
Statement:

Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 20 Arun Babu Neelicattu 2015-02-10 14:34:36 UTC 
Upstream Issue:

https://issues.jboss.org/browse/WFLY-308

Upstream Fix:

https://github.com/wildfly/wildfly/pull/5234
Comment 22 errata-xmlrpc 2015-04-16 16:03:54 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
Comment 23 errata-xmlrpc 2015-04-16 16:08:30 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
Comment 24 errata-xmlrpc 2015-05-14 15:15:01 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
Note You need to log in before you can comment on or make changes to this bug.