CVE-2014-0018 – jboss-as-server: Unchecked access to MSC Service Registry under JSM

https://notcve.org/view.php?id=CVE-2014-0018

Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container (MSC) service registry, which allows local users to modify the server via a crafted deployment. Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 y JBoss WildFly Application Server, cuando es ejecutado bajo un gestor de seguridad, no restringe debidamente el acceso al registro del servicio Modular Service Container (MSC), lo que permite a usuarios locales modificar el servidor a través de una implementación manipulada. In Red Hat JBoss Enterprise Application Platform, when running under a security manager, it was possible for deployed code to get access to the Modular Service Container (MSC) service registry without any permission checks. This could allow malicious deployments to modify the internal state of the server in various ways. • http://rhn.redhat.com/errata/RHSA-2014-0170.html http://rhn.redhat.com/errata/RHSA-2014-0171.html http://rhn.redhat.com/errata/RHSA-2014-0172.html http://www.securityfocus.com/bid/65591 https://bugzilla.redhat.com/show_bug.cgi?id=1052783 https://access.redhat.com/security/cve/CVE-2014-0018 • CWE-264: Permissions, Privileges, and Access Controls •