872059 – (CVE-2012-4572) CVE-2012-4572 JBoss: custom authorization module implementations shared between applications

Bug 872059 (CVE-2012-4572) - CVE-2012-4572 JBoss: custom authorization module implementations shared between applications

Summary: CVE-2012-4572 JBoss: custom authorization module implementations shared betwe...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-4572
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	901128 965326 965327
Blocks:	872063 920007 970481
TreeView+	depends on / blocked

Reported:	2012-11-01 05:52 UTC by David Jorm
Modified:	2023-05-12 15:08 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-17 01:41:45 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0833	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 6.1.0 update	2013-05-20 18:31:18 UTC
Red Hat Product Errata	RHSA-2013:0834	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 6.1.0 update	2013-05-20 23:19:13 UTC
Red Hat Product Errata	RHSA-2013:0839	normal	SHIPPED_LIVE	Important: JBoss Enterprise Application Platform 6.1.0 update	2013-05-20 23:18:52 UTC
Red Hat Product Errata	RHSA-2013:1437	normal	SHIPPED_LIVE	Important: Red Hat JBoss Portal 6.1.0 update	2013-10-16 20:53:32 UTC

Description David Jorm 2012-11-01 05:52:16 UTC

If multiple applications use the same custom authorization module class name, and provide their own implementations of it, the first application to be loaded will have its implementation used for all applications using the same custom authorization module class name. A local attacker could use this flaw to deploy a malicious application that provides implementations of custom authorization modules that permit or deny user access according to rules supplied by the attacker.

Comment 2 David Jorm 2012-11-01 06:29:56 UTC

Acknowledgements:

This issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team.

Comment 4 errata-xmlrpc 2013-05-20 14:31:59 UTC

This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html

Comment 5 errata-xmlrpc 2013-05-20 15:25:38 UTC

This issue has been addressed in following products:

  JBEAP 6 for RHEL 6

Via RHSA-2013:0834 https://rhn.redhat.com/errata/RHSA-2013-0834.html

Comment 6 errata-xmlrpc 2013-05-20 15:39:20 UTC

This issue has been addressed in following products:

  JBEAP 6 for RHEL 5

Via RHSA-2013:0839 https://rhn.redhat.com/errata/RHSA-2013-0839.html

Comment 9 errata-xmlrpc 2013-10-16 16:55:39 UTC

This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.0

Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html

Note You need to log in before you can comment on or make changes to this bug.