CVE-2022-0866

Name of the Vulnerable Software and Affected Versions JBoss EAP versions 7.1.0 and later WildFly versions 11 and later when Elytron is enabled

Description This issue is related to a concurrency problem that can cause the wrong caller principal to be returned from the session context of an EJB configured with a RunAs principal. The org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to track the current identity before switching to a new one created using the RunAs principal. In a concurrent environment with multiple users invoking an EJB configured with a RunAs principal, it's possible for the wrong caller principal to be returned from EJBComponent#getCallerPrincipal or for EJBComponent#isCallerInRole to return the wrong value, as both methods rely on incomingRunAsIdentity.

Recommendations For JBoss EAP versions 7.1.0 and later, consider disabling the Elytron security component until a patch is available. For WildFly versions 11 and later when Elytron is enabled, restrict access to EJBs configured with a RunAs principal to minimize the risk of exploitation. As a temporary workaround, consider disabling the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.