First published: Fri Mar 04 2022(Updated: )
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/eap7-wildfly | <0:7.4.5-3.GA_redhat_00001.1.el8ea | 0:7.4.5-3.GA_redhat_00001.1.el8ea |
redhat/eap7-wildfly | <0:7.4.5-3.GA_redhat_00001.1.el7ea | 0:7.4.5-3.GA_redhat_00001.1.el7ea |
redhat/rh-sso7-keycloak | <0:15.0.8-1.redhat_00001.1.el7 | 0:15.0.8-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:15.0.8-1.redhat_00001.1.el8 | 0:15.0.8-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.3-1.redhat_00001.1.el7 | 0:18.0.3-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.3-1.redhat_00001.1.el8 | 0:18.0.3-1.redhat_00001.1.el8 |
redhat/rh-sso7 | <0:1-5.el9 | 0:1-5.el9 |
redhat/rh-sso7-javapackages-tools | <0:6.0.0-7.el9 | 0:6.0.0-7.el9 |
redhat/rh-sso7-keycloak | <0:18.0.3-1.redhat_00001.1.el9 | 0:18.0.3-1.redhat_00001.1.el9 |
Redhat Jboss Enterprise Application Platform | >=7.1.0 | |
Redhat Openstack Platform | =13.0 | |
Redhat Wildfly | >=11.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-0866 is a vulnerability in Wildfly that can result in an incorrect caller principal being returned from the session context of an EJB.
CVE-2022-0866 has a severity rating of medium (3.1).
CVE-2022-0866 affects versions 7.4.5-3.GA_redhat_00001.1.el8ea and 7.4.5-3.GA_redhat_00001.1.el7ea of eap7-wildfly, and versions 15.0.8-1.redhat_00001.1.el7 and 15.0.8-1.redhat_00001.1.el8 of rh-sso7-keycloak.
To fix CVE-2022-0866, update your eap7-wildfly package to version 7.4.5-3.GA_redhat_00001.1.el8ea or 7.4.5-3.GA_redhat_00001.1.el7ea, or update your rh-sso7-keycloak package to version 15.0.8-1.redhat_00001.1.el7 or 15.0.8-1.redhat_00001.1.el8.
You can find more information about CVE-2022-0866 on the Red Hat Security Advisory pages: [RHSA-2022:4922](https://access.redhat.com/errata/RHSA-2022:4922), [RHSA-2022:4918](https://access.redhat.com/errata/RHSA-2022:4918), [RHSA-2022:4919](https://access.redhat.com/errata/RHSA-2022:4919).