Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-1067

CVE-2015-5304 Missing authorization check for Monitor/Deployer/Auditor role when shutting down server or canceling op


    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 1.0.0.Final, 1.0.1.Final, 2.0.0.Final, 2.0.1.Final, 2.0.2.Final, 2.0.3.Final
    • Fix Version/s: 2.0.4.Final
    • Component/s: Management
    • Labels:


      It was found that the server or host controller did not properly authorize a user performing a shut down. A user with the role Monitor, Deployer, or Auditor could use this flaw to shut down the EAP server, which is an action restricted to users in other roles.

      The following commit introduced this issue:


      The context.getServiceRegistry(true) call, which throws an exception when write authorization fails, was replaced with a call to context.authorize, which only returns an authorization result. Nothing was then done with the authorization result.

      The same flaw exists in the handling of the cancel-active-operation op, although there this only means the admin could cancel an in-progress operation, perhaps initiated by a different admin. It also lets the admin cancel his own operation, which is arguably a benefit. But losing that benefit is an acceptable price to having a consistent RBAC scheme. (Note: CLI users whose own operations are hanging can always cancel them by doing a soft kill of the CLI process. Users of custom clients that use ModelControllerClient can cancel their own ops by using the ModelControllerClient executeAsync API and cancelling the Future returned thereby.)

        Gliffy Diagrams




              • Assignee:
                brian.stansberry Brian Stansberry
                brian.stansberry Brian Stansberry
              • Votes:
                0 Vote for this issue
                1 Start watching this issue


                • Created: