]
Hynek Švábek updated WFLY-8749:
-------------------------------
Security: (was: Security Issue)
RBAC, There are missing access-constraint for attributes which
referencing elytron capabilities.
------------------------------------------------------------------------------------------------
Key: WFLY-8749
URL:
https://issues.jboss.org/browse/WFLY-8749
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Hynek Švábek
Priority: Blocker
This is potentially security vulnerability therefore it is BLOCKER.
According to RFE EAP7-548 there must be set access-constraint where are referenced
elytron capabilities.
I found 6 places where is access-constraint missing.
{code}
/subsystem=undertow:read-resource-description(recursive=true)
{code}
There is *http-invoker*, attr *http-authentication-factory* with
*org.wildfly.security.http-authentication-factory* capability.
{code}
/subsystem=datasources:read-resource-description(recursive=true)
{code}
There is *xa-data-source*, attr *recovery-authentication-context* with
*org.wildfly.security.authentication-context* capability.
{code}
/subsystem=ejb3:read-resource-description(recursive=true)
{code}
There is *identity*, attr *outflow-security-domains* with
*org.wildfly.security.security-domain* capability.
{code}
/core-service=management/management-interface=http-interface:read-resource-description(recursive=true)
{code}
There is *sasl-authentication-factory* with
*org.wildfly.security.sasl-authentication-factory* capability.
{code}
/deployment=test:read-resource-description(recursive=true)
{code}
There is *xa-data-source*, attr *recovery-authentication-context* with
*org.wildfly.security.authentication-context* capability
and *there is same problem in subdeployment resource too*.