CVE-2016-8657 — Incorrect Permission Assignment in Redhat Jboss Enterprise Application Platform

CWE-264 CWE-732 — Incorrect Permission Assignment5 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 82.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform

Timeline

PublishedJul 31

Latest updateMay 14

Description

It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration files. The file is writable to jboss group (root:jboss, 664). On systems using classic /etc/init.d init scripts (i.e. on Red Hat Enterprise Linux 6 and earlier), the file is sourced by the jboss init script and its content executed with root privileges when jboss service is started, stopped, or restarted.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_application_platform5.0.0, 6.0.0, 6.4.0+2

🔴Vulnerability Details

GHSA

GHSA-gqxm-5ghp-x5rj: It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration↗2022-05-14

▶

CVEList

CVE-2016-8657: It was discovered that EAP packages in certain versions of Red Hat Enterprise Linux use incorrect permissions for /etc/sysconfig/jbossas configuration↗2018-07-31

▶

📋Vendor Advisories

Red Hat

jboss: jbossas writable config files allow privilege escalation↗2016-10-10

▶

💬Community

Bugzilla

CVE-2016-8657 jboss: jbossas writable config files allow privilege escalation↗2016-11-30

▶