CPE Details
Red Hat JBoss Enterprise Application Platform (EAP) 7.3.9 General Availability
7.3.9
2022-01-07
13h05 +00:00
13h05 +00:00
2022-06-06
11h54 +00:00
11h54 +00:00
Alerte pour un CPE
Stay informed of any changes for a specific CPE.
CPE Name: cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.9:general_availability:*:*:*:*:*:*
Informations
Vendor
redhatProduct
jboss_enterprise_application_platformVersion
7.3.9Update
general_availabilityRelated CVE
| CVE ID | Published | Description | Score | Severity |
|---|---|---|---|---|
| This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled. | 5.3 |
Medium |
||
| The HornetQ component of Artemis in EAP 7 was not updated with the fix for CVE-2016-4978. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using a JMS ObjectMessage. | 7.2 |
High |
