CVE-2019-3894

Name of the Vulnerable Software and Affected Versions WildFly versions 11 through 16

Description The issue is related to security checking implementation errors for standard elements in the Java application server. It may allow a remote attacker to impact the confidentiality and integrity of protected information. Specifically, the ElytronManagedThread in Wildfly's Elytron subsystem stores a SecurityIdentity to run the thread as, and these threads may not terminate even after the keep alive time has expired, potentially allowing a shared thread to use the wrong security identity when executing.

Recommendations For WildFly versions 11 through 16, consider restricting access to the Elytron subsystem until a patch is available. As a temporary workaround, consider disabling the use of shared threads in the Elytron subsystem to minimize the risk of exploitation. Avoid using the ElytronManagedThread function in the affected Wildfly versions until the issue is resolved.