Fedora Account System
Red Hat Associate
Red Hat Customer
When there are no allowed roles for an EJB method invocation, the invocation should be denied for all users. The processInvocation() method in org.jboss.as.ejb3.security.AuthorizationInterceptor incorrectly authorizes all method invocations to proceed when the list of allowed roles is empty.
Acknowledgements: This issue was discovered by Arun Neelicattu of the Red Hat Security Response Team.
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2012:1591 https://rhn.redhat.com/errata/RHSA-2012-1591.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2012:1592 https://rhn.redhat.com/errata/RHSA-2012-1592.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2012:1594 https://rhn.redhat.com/errata/RHSA-2012-1594.html
Statement: This issue did not affect JBoss Enterprise Application Platform versions 4.x and 5.x.