CVE-2022-0866

wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.

Esto es un problema de concurrencia que puede resultar en que sea devuelto el caller principal incorrecto desde el contexto de sesión de un EJB que está configurado con un principal RunAs. En particular, la clase org.jboss.as.ejb3.component.EJBComponent presenta un campo incomingRunAsIdentity. Este campo es usado por el org.jboss.as.ejb3.security.RunAsPrincipalInterceptor para mantener un registro de la identidad actual antes de cambiar a una nueva identidad creada usando el principal RunAs. La explotación consiste en que el campo EJBComponent#incomingRunAsIdentity es actualmente sólo un SecurityIdentity. Esto significa que en un entorno concurrente, en el que varios usuarios invocan repetidamente un EJB configurado con una entidad de seguridad RunAs, es posible que sea devuelta una entidad de seguridad incorrecta desde EJBComponent#getCallerPrincipal. Del mismo modo, también es posible que EJBComponent#isCallerInRole devuelva un valor incorrecto. Ambos métodos dependen de incomingRunAsIdentity. Afecta a todas las versiones de JBoss EAP a partir de la 7.1.0 y a todas las versiones de WildFly 11+ cuando Elytron está habilitado

A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-03-04 CVE Reserved
2022-05-10 CVE Published
2023-12-01 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-863: Incorrect Authorization
CWE-1220: Insufficient Granularity of Access Control

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0	2022-05-18
https://access.redhat.com/security/cve/CVE-2022-0866	2022-11-03
https://bugzilla.redhat.com/show_bug.cgi?id=2060929	2022-11-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				>= 7.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version " >= 7.1.0"		-		Affected
Redhat Search vendor "Redhat"		Openstack Platform Search vendor "Redhat" for product "Openstack Platform"				13.0 Search vendor "Redhat" for product "Openstack Platform" and version "13.0"		-		Affected
Redhat Search vendor "Redhat"		Wildfly Search vendor "Redhat" for product "Wildfly"				>= 11.0.0 Search vendor "Redhat" for product "Wildfly" and version " >= 11.0.0"		-		Affected