Red Hat JBoss Enterprise Application Platform (EAP) 7.3.9 General Availability

CPE Details

Red Hat JBoss Enterprise Application Platform (EAP) 7.3.9 General Availability
redhat
jboss_enterprise_application_platform
7.3.9
2022-01-07
13h05 +00:00
2022-06-06
11h54 +00:00
CPE NVD
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
Notifications manage

CPE Name: cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.9:general_availability:*:*:*:*:*:*

Informations

Vendor

redhat

Product

jboss_enterprise_application_platform

Version

7.3.9

Update

general_availability

Related CVE

Open and find in CVE List

CVE ID Published Description Score Severity
CVE-2022-0866 2022-05-10 18h20 +00:00 This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
5.3
Medium
CVE-2021-20318 2021-12-23 18h48 +00:00 The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage.
7.2
High