CVE-2012-1167
First published: Tue Mar 13 2012(Updated: )
The JBoss Server in JBoss Enterprise Application Platform 5.1.x before 5.1.2 and 5.2.x before 5.2.2, Web Platform before 5.1.2, BRMS Platform before 5.3.0, and SOA Platform before 5.3.0, when the server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm, does not properly check the permissions created by the WebPermissionMapping class, which allows remote authenticated users to access arbitrary applications.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| JBoss Enterprise Application Platform | =5.1.0 | |
| JBoss Enterprise Application Platform | =5.1.1 | |
| JBoss Enterprise Application Platform | =5.2.0 | |
| JBoss Enterprise Application Platform | =5.2.1 | |
| Red Hat JBoss Enterprise BRMS Platform | <=5.2.0 | |
| Red Hat JBoss Enterprise SOA Platform | <=5.2.0 | |
| Red Hat JBoss Enterprise SOA Platform | =5.0.0 | |
| Red Hat JBoss Enterprise SOA Platform | =5.0.1 | |
| Red Hat JBoss Enterprise SOA Platform | =5.0.2 | |
| Red Hat JBoss Enterprise SOA Platform | =5.1.0 | |
| Red Hat JBoss Enterprise SOA Platform | =5.1.1 | |
| Red Hat JBoss Enterprise Web Platform | <=5.1.1 | |
| Red Hat JBoss Enterprise Web Platform | =5.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://rhn.redhat.com/errata/RHSA-2012-1013.html
- https://rhn.redhat.com/errata/RHSA-2012-1014.html
- https://rhn.redhat.com/errata/RHSA-2012-1027.html
- https://rhn.redhat.com/errata/RHSA-2012-1026.html
- https://rhn.redhat.com/errata/RHSA-2012-1028.html
- https://rhn.redhat.com/errata/RHSA-2012-1125.html
- https://rhn.redhat.com/errata/RHSA-2012-1232.html
- https://bugzilla.redhat.com/show_bug.cgi?id=802622
- http://rhn.redhat.com/errata/RHSA-2012-1013.html
- http://rhn.redhat.com/errata/RHSA-2012-1014.html
- http://rhn.redhat.com/errata/RHSA-2012-1026.html
- http://rhn.redhat.com/errata/RHSA-2012-1027.html
- http://rhn.redhat.com/errata/RHSA-2012-1028.html
- http://rhn.redhat.com/errata/RHSA-2012-1125.html
- http://rhn.redhat.com/errata/RHSA-2012-1232.html
- http://secunia.com/advisories/49635
- http://secunia.com/advisories/49658
- http://secunia.com/advisories/50549
- http://securitytracker.com/id?1027501
- http://www.securityfocus.com/bid/54089
- https://exchange.xforce.ibmcloud.com/vulnerabilities/76680
Frequently Asked Questions
What is the severity of CVE-2012-1167?
The severity of CVE-2012-1167 is classified as critical.
How do I fix CVE-2012-1167?
To fix CVE-2012-1167, upgrade to JBoss Enterprise Application Platform version 5.1.2 or higher.
What versions are affected by CVE-2012-1167?
CVE-2012-1167 affects JBoss Enterprise Application Platform versions 5.1.0, 5.1.1, 5.2.0, and 5.2.1, as well as multiple versions of the BRMS and SOA Platforms.
What configurations are vulnerable for CVE-2012-1167?
CVE-2012-1167 is vulnerable when the JBoss Server is configured to use JaccAuthorizationRealm with the ignoreBaseDecision property set to true.
Is there a workaround for CVE-2012-1167?
While the best practice is to upgrade, a potential workaround is to disable the ignoreBaseDecision property if possible.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/author
- agent/references
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-1167
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/5.1.0
- version/jboss enterprise application platform/5.1.1
- version/jboss enterprise application platform/5.2.0
- version/jboss enterprise application platform/5.2.1
- canonical/red hat jboss enterprise brms platform
- version/red hat jboss enterprise brms platform/5.2.0
- canonical/red hat jboss enterprise soa platform
- version/red hat jboss enterprise soa platform/5.2.0
- version/red hat jboss enterprise soa platform/5.0.0
- version/red hat jboss enterprise soa platform/5.0.1
- version/red hat jboss enterprise soa platform/5.0.2
- version/red hat jboss enterprise soa platform/5.1.0
- version/red hat jboss enterprise soa platform/5.1.1
- canonical/red hat jboss enterprise web platform
- version/red hat jboss enterprise web platform/5.1.1
- version/red hat jboss enterprise web platform/5.1.0