]
Brian Stansberry updated WFCORE-1067:
-------------------------------------
Security: (was: Security Issue)
Affects Version/s: 2.0.3.Final
2.0.2.Final
2.0.1.Final
2.0.0.Final
(was: 2.0.0.CR7)
CVE-2015-5304 Missing authorization check for
Monitor/Deployer/Auditor role when shutting down server or canceling op
----------------------------------------------------------------------------------------------------------------------
Key: WFCORE-1067
URL:
https://issues.jboss.org/browse/WFCORE-1067
Project: WildFly Core
Issue Type: Bug
Components: Domain Management
Affects Versions: 1.0.0.Final, 1.0.1.Final, 2.0.0.Final, 2.0.1.Final, 2.0.2.Final,
2.0.3.Final
Reporter: Brian Stansberry
Assignee: Brian Stansberry
Fix For: 2.0.4.Final
It was found that the server or host controller did not properly authorize a user
performing a shut down. A user with the role Monitor, Deployer, or Auditor could use this
flaw to shut down the EAP server, which is an action restricted to users in other roles.
The following commit introduced this issue:
https://github.com/wildfly/wildfly-core/commit/6e5611b4c6
The context.getServiceRegistry(true) call, which throws an exception when write
authorization fails, was replaced with a call to context.authorize, which only returns an
authorization result. Nothing was then done with the authorization result.
The same flaw exists in the handling of the cancel-active-operation op, although there
this only means the admin could cancel an in-progress operation, perhaps initiated by a
different admin. It also lets the admin cancel his own operation, which is arguably a
benefit. But losing that benefit is an acceptable price to having a consistent RBAC
scheme. (Note: CLI users whose own operations are hanging can always cancel them by doing
a soft kill of the CLI process. Users of custom clients that use ModelControllerClient can
cancel their own ops by using the ModelControllerClient executeAsync API and cancelling
the Future returned thereby.)