Bug 1380852 (CVE-2016-7061) - CVE-2016-7061 EAP: Sensitive data can be exposed at the server level in domain mode
Summary: CVE-2016-7061 EAP: Sensitive data can be exposed at the server level in domai...
Status: NEW
Alias: CVE-2016-7061
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20161107,reported=2...
Keywords: Security
Depends On: 1381324 1381325
Blocks: 1392081 1413131 1520314
TreeView+ depends on / blocked
 
Reported: 2016-09-30 19:10 UTC by Bharti Kundal
Modified: 2019-06-08 21:29 UTC (History)
22 users (show)

(edit)
It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information.
Clone Of:
(edit)
Last Closed:
bkundal: needinfo-


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0170 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 7.0.4 on RHEL 6 2017-01-20 20:58:37 UTC
Red Hat Product Errata RHSA-2017:0171 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 7.0.4 for RHEL 7 2017-01-20 20:58:12 UTC
Red Hat Product Errata RHSA-2017:0172 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 7.0.4 2017-01-19 01:40:13 UTC
Red Hat Product Errata RHSA-2017:0173 normal SHIPPED_LIVE Moderate: eap7-jboss-ec2-eap security update 2017-01-20 21:06:12 UTC
Red Hat Product Errata RHSA-2017:0244 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-02-03 01:39:38 UTC
Red Hat Product Errata RHSA-2017:0245 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-02-03 01:36:51 UTC
Red Hat Product Errata RHSA-2017:0246 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform security update 2017-02-03 01:33:58 UTC
Red Hat Product Errata RHSA-2017:0247 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform security update 2017-05-03 01:58:19 UTC
Red Hat Product Errata RHSA-2017:0250 normal SHIPPED_LIVE Important: jboss-ec2-eap security, bug fix, and enhancement update 2017-02-03 02:03:53 UTC
Red Hat Product Errata RHSA-2017:3454 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:48:09 UTC
Red Hat Product Errata RHSA-2017:3455 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:57:25 UTC
Red Hat Product Errata RHSA-2017:3456 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:31:03 UTC
Red Hat Product Errata RHSA-2017:3458 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-12-13 23:26:13 UTC

Description Bharti Kundal 2016-09-30 19:10:50 UTC
Sensitive data can be exposed at the server level through CLI in domain mode

Comment 1 Bharti Kundal 2016-09-30 20:09:25 UTC
When configuring RBAC and marking information as sensitive,the users under Monitor role are able to view it.The following are the details:

<security-realms>
            <security-realm name="ManagementRealm">
                <authentication>
                   
                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                </authentication>
                <authorization map-groups-to-roles="false">
                    <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
                </authorization>                
            </security-realm>

  <management>
        <access-control provider="rbac">
            <role-mapping>
                <role name="SuperUser">
                    <include>
                        <user name="adminuser"/>
                    </include>
                </role>
                <role name="Monitor">
                    <include>
                        <user name="rbactest"/>
                   </include>
                </role>
            </role-mapping>
<constraints>
<sensitive-classifications>
<sensitive-classification type="core"
name="socket-config" requires-read="true"/>
 </sensitive-classifications>
</constraints>
</access-control>
    </management>


With user rabactest under monitor role ,the socket-bindidng read reseource fails:

[bkundal@dhcp193-167 bin]$ ./jboss-cli.sh --connect 
Authenticating against security realm: ManagementRealm
Username: rbactest
Password: 

[domain@localhost:9999 /] cd socket-binding-group=ha-sockets
[domain@localhost:9999 socket-binding-group=ha-sockets] /socket-binding-group=ha-sockets/socket-binding=http:read-resource
{
    "outcome" => "failed",
    "failure-description" => "JBAS013456: Unauthorized to execute operation 'read-resource' for resource '[
    (\"socket-binding-group\" => \"ha-sockets\"),
    (\"socket-binding\" => \"http\")
]' -- \"JBAS013475: Permission denied\"",
    "rolled-back" => true
}
[domain@localhost:9999 socket-binding-group=ha-sockets]

but this socket-config can be viewed at the server level

domain@localhost:9999 socket-binding-group=ha-sockets] cd /host=master/
[domain@localhost:9999 host=master] cd server=server-one
[domain@localhost:9999 server=server-one] cd socket-binding-group=full-sockets
[domain@localhost:9999 socket-binding-group=full-sockets] cd socket-binding=http
[domain@localhost:9999 socket-binding=http] ls -l
ATTRIBUTE         VALUE     TYPE    
bound             true      BOOLEAN 
bound-address     127.0.0.1 STRING  
bound-port        8080      INT     
client-mappings   undefined LIST    
fixed-port        false     BOOLEAN 
interface         undefined STRING  
multicast-address undefined STRING  
multicast-port    undefined INT     
name              http      STRING  
port              8080      INT     
[domain@localhost:9999 socket-binding=http]

Comment 7 errata-xmlrpc 2017-01-18 20:40:40 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 7.0.4

Via RHSA-2017:0172 https://rhn.redhat.com/errata/RHSA-2017-0172.html

Comment 8 errata-xmlrpc 2017-01-18 21:54:16 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:0171 https://rhn.redhat.com/errata/RHSA-2017-0171.html

Comment 9 errata-xmlrpc 2017-01-18 21:54:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6

Via RHSA-2017:0170 https://rhn.redhat.com/errata/RHSA-2017-0170.html

Comment 10 errata-xmlrpc 2017-01-18 22:12:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7

Via RHSA-2017:0173 https://rhn.redhat.com/errata/RHSA-2017-0173.html

Comment 17 errata-xmlrpc 2017-02-02 20:23:43 UTC
This issue has been addressed in the following products:



Via RHSA-2017:0247 https://rhn.redhat.com/errata/RHSA-2017-0247.html

Comment 18 errata-xmlrpc 2017-02-02 20:44:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:0246 https://rhn.redhat.com/errata/RHSA-2017-0246.html

Comment 19 errata-xmlrpc 2017-02-02 20:45:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:0245 https://rhn.redhat.com/errata/RHSA-2017-0245.html

Comment 20 errata-xmlrpc 2017-02-02 20:46:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0244 https://rhn.redhat.com/errata/RHSA-2017-0244.html

Comment 21 errata-xmlrpc 2017-02-02 21:04:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:0250 https://rhn.redhat.com/errata/RHSA-2017-0250.html

Comment 22 errata-xmlrpc 2017-12-13 17:33:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456

Comment 23 errata-xmlrpc 2017-12-13 18:20:20 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454

Comment 24 errata-xmlrpc 2017-12-13 18:41:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455

Comment 25 errata-xmlrpc 2017-12-13 18:47:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458


Note You need to log in before you can comment on or make changes to this bug.