A vulnerability was identified in the way in which method-level authorization for JAX-WS Service endpoints was performed by the EJB invocation handler implementation. Any restrictions declared on EJB methods were ignored when executing the JAX-WS handlers and only class-level restrictions were applied. A remote attacker who is authorized to access the EJB class, could invoke a JAX-WS handler that they are not authorized to.
Acknowledgements: This issue was discovered by Richard Opalka and Arun Neelicattu of Red Hat.
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.0 Via RHSA-2013:1784 https://rhn.redhat.com/errata/RHSA-2013-1784.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2013:1786 https://rhn.redhat.com/errata/RHSA-2013-1786.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2013:1785 https://rhn.redhat.com/errata/RHSA-2013-1785.html
Statement: Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Upstream Issue: https://issues.jboss.org/browse/WFLY-308 Upstream Fix: https://github.com/wildfly/wildfly/pull/5234
This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html