CVE-2014-0245

Name of the Vulnerable Software and Affected Versions JBoss Portal version 6.2.0

Description The implementation of the GTNSubjectCreatingInterceptor class in gatein-wsrp is not thread safe. This allows an unauthenticated remote attacker to potentially gain privileged information under high-concurrency scenarios or when SOAP messages take long to execute, if WS-Security is enabled for the WSRP Consumer and the endpoint is being used by a privileged user.

Recommendations For JBoss Portal version 6.2.0, consider restricting access to the WSRP endpoint in question to minimize the risk of exploitation until a patch is available. As a temporary workaround, disabling WS-Security for the WSRP Consumer may also reduce the risk. However, at the moment, there is no information about a newer version that contains a fix for this issue.