CVE-2022-0866
wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
Esto es un problema de concurrencia que puede resultar en que sea devuelto el caller principal incorrecto desde el contexto de sesión de un EJB que está configurado con un principal RunAs. En particular, la clase org.jboss.as.ejb3.component.EJBComponent presenta un campo incomingRunAsIdentity. Este campo es usado por el org.jboss.as.ejb3.security.RunAsPrincipalInterceptor para mantener un registro de la identidad actual antes de cambiar a una nueva identidad creada usando el principal RunAs. La explotación consiste en que el campo EJBComponent#incomingRunAsIdentity es actualmente sólo un SecurityIdentity. Esto significa que en un entorno concurrente, en el que varios usuarios invocan repetidamente un EJB configurado con una entidad de seguridad RunAs, es posible que sea devuelta una entidad de seguridad incorrecta desde EJBComponent#getCallerPrincipal. Del mismo modo, también es posible que EJBComponent#isCallerInRole devuelva un valor incorrecto. Ambos métodos dependen de incomingRunAsIdentity. Afecta a todas las versiones de JBoss EAP a partir de la 7.1.0 y a todas las versiones de WildFly 11+ cuando Elytron está habilitado
A flaw was found in Wildfly, where it returns an incorrect caller principal under certain heavily concurrent situations when Elytron Security is used. This flaw allows an attacker to gain improper access to information they should not have.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-03-04 CVE Reserved
- 2022-05-10 CVE Published
- 2023-12-01 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-863: Incorrect Authorization
- CWE-1220: Insufficient Granularity of Access Control
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0 | 2022-05-18 | |
https://access.redhat.com/security/cve/CVE-2022-0866 | 2022-11-03 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2060929 | 2022-11-03 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | >= 7.1.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version " >= 7.1.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Openstack Platform Search vendor "Redhat" for product "Openstack Platform" | 13.0 Search vendor "Redhat" for product "Openstack Platform" and version "13.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Wildfly Search vendor "Redhat" for product "Wildfly" | >= 11.0.0 Search vendor "Redhat" for product "Wildfly" and version " >= 11.0.0" | - |
Affected
|