Public Date:
1169237: CVE-2014-8122 JBoss Weld: Limited information disclosure via stale thread state
It was discovered that under specific conditions the conversation state information stored in a thread-local variable in JBoss Weld was not sanitized correctly when the conversation ended. This could lead to a race condition that could potentially expose sensitive information from a previous conversation to the current conversation.

Find out more about CVE-2014-8122 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 2.1
Base Metrics AV:N/AC:H/Au:S/C:P/I:N/A:N
Access Vector Network
Access Complexity High
Authentication Single
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Operations Network 3.3 RHSA-2015:0920 2015-04-30
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2015:0217 2015-02-11
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2015:0215 2015-02-11
Red Hat JBoss Data Virtualization 6.1 RHSA-2015:0675 2015-03-11
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2015:0218 2015-02-11
Red Hat JBoss BPMS 6.0 RHSA-2015:0851 2015-04-16
Red Hat JBoss BRMS 6.0 RHSA-2015:0850 2015-04-16
Red Hat JBoss Data Grid 6.4 RHSA-2015:0773 2015-04-01
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2015:0216 2015-02-11

Affected Packages State

Platform Package State
Red Hat JBoss Portal Platform 6 weld Will not fix
Red Hat JBoss Fuse Service Works 6 weld Will not fix
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.


Red Hat would like to thank Rune Steinseth of JProfessionals for reporting this issue.
Last Modified