A privilege escalation flaw was found in the way the RunAsManager mechanism of the Spring Security tool performed user account (privileges) switch. Due to a race condition, a remote attacker could use this flaw to escalate their privileges (elevated privileges would be shared between concurrently executing threads). References: [1] http://www.securityfocus.com/archive/1/519594/30/0/threaded [2] http://www.springsource.com/security/cve-2011-2731
Sample PoC (from [1]): ====================== <quote> Example: If the RunAsManager returns an Authentication object for the current invocation, the security interceptor will temporarily store this in the security context for the duration of the invocation. This authentication object would be shared with other concurrently executing threads, leading to a possible escalation of privileges in those threads. </quote>
Statement: Not vulnerable. This issue affects the Spring Security package, which is not shipped with any Red Hat products.