Bug 818837 (CVE-2012-2312) - CVE-2012-2312 JBoss AS 7: Security Context Propagation - When re-using thread from thread pool, security context also gets re-used
Summary: CVE-2012-2312 JBoss AS 7: Security Context Propagation - When re-using thread...
Alias: CVE-2012-2312
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 820451
Blocks: 818838
TreeView+ depends on / blocked
Reported: 2012-05-04 07:01 UTC by Arun Babu Neelicattu
Modified: 2020-02-11 00:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-07-31 04:51:58 UTC

Attachments (Terms of Use)

Description Arun Babu Neelicattu 2012-05-04 07:01:25 UTC
Security context propagation was not properly implemented. As a result, when a thread gets re-used from the thread pool, it still retains the security context from the process that last used it. The new security context is not properly propagated, and hence the previous security context will be in effect. A local attacker can use this flaw to escalate privileges in a malicious application deployed to the JBoss server.

Comment 1 David Jorm 2012-05-04 07:16:24 UTC
This issue only affects JBoss AS 7.1.0, 7.1.1 and EAP 6 Beta.

Comment 2 David Jorm 2012-05-08 03:23:43 UTC
Upstream bug: https://issues.jboss.org/browse/JBPAPP-8863

Comment 4 David Jorm 2012-06-14 07:29:39 UTC

This flaw does not affect any Red Hat JBoss products, it only affects the JBoss AS 7 community releases.

Note You need to log in before you can comment on or make changes to this bug.