CVE-2014-7827

Impact:
Low
Public Date:
2015-02-11
CWE:
CWE-863
Bugzilla:
1160574: CVE-2014-7827 JBoss Security: Wrong security context loaded when using SAML2 STS Login Module
It was found that when processing undefined security domains, the org.jboss.security.plugins.mapping.JBossMappingManager implementation would fall back to the default security domain if it was available. A user with valid credentials in the defined default domain, with a role that is valid in the expected application domain, could perform actions that were otherwise not available to them. When using the SAML2 STS Login Module, JBossMappingManager exposed this issue due to the PicketLink Trust SecurityActions implementation using a hardcoded default value when defining the context.

Find out more about CVE-2014-7827 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

CVSS v2 metrics

Base Score 3.5
Base Metrics AV:N/AC:M/Au:S/C:P/I:N/A:N
Access Vector Network
Access Complexity Medium
Authentication Single
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2015:0217 2015-02-11
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2015:0215 2015-02-11
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2015:0218 2015-02-11
Red Hat JBoss BPMS 6.0 RHSA-2015:0851 2015-04-16
Red Hat JBoss BRMS 6.0 RHSA-2015:0850 2015-04-16
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2015:0216 2015-02-11

Affected Packages State

Platform Package State
Red Hat JBoss Portal Platform 6 eap Will not fix
Red Hat JBoss Portal Platform 4 jbosssx Will not fix
Red Hat JBoss Portal 5 jbosssx Will not fix
Red Hat JBoss Operations Network 3 eap Will not fix
Red Hat JBoss Fuse Service Works 6 eap Will not fix
Red Hat JBoss Enterprise SOA Platform 5 jbosssx Will not fix
Red Hat JBoss Enterprise SOA Platform 4 jbosssx Will not fix
Red Hat JBoss EAP 5 jbosssx Will not fix
Red Hat JBoss EAP 4 jbosssx Will not fix
Red Hat JBoss Data Virtualization 6 eap Will not fix
Red Hat JBoss Data Grid 6 eap Will not fix
Red Hat JBoss BRMS 5 eap Will not fix

Acknowledgements

This issue was discovered by Ondra Lukas of the Red Hat Quality Engineering Team.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.