Carlo De Wolf

**Name of the Vulnerable Software and Affected Versions** JBoss Enterprise Application Platform (EAP) versions prior to 5.2.0 JBoss Web Platform (EWP) versions prior to 5.2.0 JBoss BRMS Platform versions prior to 5.3.1 JBoss SOA Platform versions prior to 5.3.1 **Description** The issue allows remote attackers to gain privileges of the previous user via a null password, which causes the previous user's password to be used. This occurs due to a flaw in the CallerIdentityLoginModule. **Recommendations** For JBoss Enterprise Application Platform (EAP) versions prior to 5.2.0, update to version 5.2.0 or later. For JBoss Web Platform (EWP) versions prior to 5.2.0, update to version 5.2.0 or later. For JBoss BRMS Platform versions prior to 5.3.1, update to version 5.3.1 or later. For JBoss SOA Platform versions prior to 5.3.1, update to version 5.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** JBoss Enterprise Application Platform (EAP) versions prior to 5.2.0 JBoss Web Platform (EWP) versions prior to 5.2.0 BRMS Platform versions prior to 5.3.1 SOA Platform versions prior to 5.3.1 **Description** The issue allows remote attackers to gain privileges as other users due to the SecurityAssociation.getCredential method returning the credentials of the previous user when a security context is not provided. **Recommendations** For JBoss Enterprise Application Platform (EAP) versions prior to 5.2.0, update to version 5.2.0 or later. For JBoss Web Platform (EWP) versions prior to 5.2.0, update to version 5.2.0 or later. For BRMS Platform versions prior to 5.3.1, update to version 5.3.1 or later. For SOA Platform versions prior to 5.3.1, update to version 5.3.1 or later.