Jboss EAP Incorrect Authorization Vulnerability - CVE-2022-0866

This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponentincomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal it39s possible for the wrong the caller principal to be returned from EJBComponentgetCallerPrincipal. Similarly it39s also possible for EJBComponentisCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11 when Elytron is enabled.