This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, its possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, its also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Jboss_enterprise_application_platform | Redhat | 7.1.0 (including) | * |
Openstack_platform | Redhat | 13.0 (including) | 13.0 (including) |
Wildfly | Redhat | 11.0.0 (including) | * |
Red Hat JBoss Enterprise Application Platform 7 | RedHat | wildfly | * |
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | RedHat | eap7-wildfly-0:7.4.5-3.GA_redhat_00001.1.el8eap | * |
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 | RedHat | eap7-wildfly-0:7.4.5-3.GA_redhat_00001.1.el7eap | * |
Red Hat Single Sign-On 7 | RedHat | wildfly | * |
Red Hat Single Sign-On 7.5 for RHEL 7 | RedHat | rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el7sso | * |
Red Hat Single Sign-On 7.5 for RHEL 8 | RedHat | rh-sso7-keycloak-0:15.0.8-1.redhat_00001.1.el8sso | * |
Red Hat Single Sign-On 7.6.1 | RedHat | wildfly | * |
Red Hat Single Sign-On 7.6 for RHEL 7 | RedHat | rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el7sso | * |
Red Hat Single Sign-On 7.6 for RHEL 8 | RedHat | rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el8sso | * |
Red Hat Single Sign-On 7.6 for RHEL 9 | RedHat | rh-sso7-0:1-5.el9sso | * |
Red Hat Single Sign-On 7.6 for RHEL 9 | RedHat | rh-sso7-javapackages-tools-0:6.0.0-7.el9sso | * |
Red Hat Single Sign-On 7.6 for RHEL 9 | RedHat | rh-sso7-keycloak-0:18.0.3-1.redhat_00001.1.el9sso | * |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are incorrectly applied, users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.