Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1067

CVE-2015-5304 Missing authorization check for Monitor/Deployer/Auditor role when shutting down server or canceling op

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 1.0.0.Final, 1.0.1.Final, 2.0.0.Final, 2.0.1.Final, 2.0.2.Final, 2.0.3.Final
    • Fix Version/s: 2.0.4.Final
    • Component/s: Management
    • Labels:
      None

      Description

      It was found that the server or host controller did not properly authorize a user performing a shut down. A user with the role Monitor, Deployer, or Auditor could use this flaw to shut down the EAP server, which is an action restricted to users in other roles.

      The following commit introduced this issue:

      https://github.com/wildfly/wildfly-core/commit/6e5611b4c6

      The context.getServiceRegistry(true) call, which throws an exception when write authorization fails, was replaced with a call to context.authorize, which only returns an authorization result. Nothing was then done with the authorization result.

      The same flaw exists in the handling of the cancel-active-operation op, although there this only means the admin could cancel an in-progress operation, perhaps initiated by a different admin. It also lets the admin cancel his own operation, which is arguably a benefit. But losing that benefit is an acceptable price to having a consistent RBAC scheme. (Note: CLI users whose own operations are hanging can always cancel them by doing a soft kill of the CLI process. Users of custom clients that use ModelControllerClient can cancel their own ops by using the ModelControllerClient executeAsync API and cancelling the Future returned thereby.)

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                brian.stansberry Brian Stansberry
                Reporter:
                brian.stansberry Brian Stansberry
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: