SB2014081901 - Multiple vulnerabilities in JBoss Enterprise Application Platform
Published: August 19, 2014 Updated: August 10, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-3464)
The vulnerability allows a remote #AU# to read and manipulate data.
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers by leveraging permissions to the EJB class. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-2133.
2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-3472)
The vulnerability allows a remote #AU# to read and manipulate data.
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.
Remediation
Install update from vendor's website.
References
- http://rhn.redhat.com/errata/RHSA-2014-1019.html
- http://rhn.redhat.com/errata/RHSA-2014-1020.html
- http://rhn.redhat.com/errata/RHSA-2014-1021.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1102317
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95409
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- http://www.securityfocus.com/bid/69094
- https://bugzilla.redhat.com/show_bug.cgi?id=1103815
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95170