CVE-2012-1167

Name of the Vulnerable Software and Affected Versions JBoss Enterprise Application Platform versions 5.1.x through 5.1.1 JBoss Enterprise Application Platform versions 5.2.x through 5.2.1 Web Platform versions 5.1.x through 5.1.1 BRMS Platform versions prior to 5.3.0 SOA Platform versions prior to 5.3.0

Description The issue arises when the JBoss Server is configured to use the JaccAuthorizationRealm and the ignoreBaseDecision property is set to true on the JBossWebRealm. This configuration leads to improper checking of permissions created by the WebPermissionMapping class. As a result, remote authenticated users can access arbitrary applications.

Recommendations For JBoss Enterprise Application Platform versions 5.1.x through 5.1.1, update to version 5.1.2 or later. For JBoss Enterprise Application Platform versions 5.2.x through 5.2.1, update to version 5.2.2 or later. For Web Platform versions 5.1.x through 5.1.1, update to version 5.1.2 or later. For BRMS Platform versions prior to 5.3.0, update to version 5.3.0 or later. For SOA Platform versions prior to 5.3.0, update to version 5.3.0 or later.