cve/2022/CVE-2022-0866.md

### [CVE-2022-0866](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0866)
![](https://img.shields.io/static/v1?label=Product&message=Wildfly&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20JBoss%20EAP%20from%207.1.0%20and%20all%20versions%20of%20WildFly%2011%2B%20when%20Elytron%20is%20enabled.%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-863&color=brighgreen)

### Description

This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2022-0866](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0866)`
			`![](https://img.shields.io/static/v1?label=Product&message=Wildfly&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=%3D%20JBoss%20EAP%20from%207.1.0%20and%20all%20versions%20of%20WildFly%2011%2B%20when%20Elytron%20is%20enabled.%20&color=brighgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-863&color=brighgreen)`

			`### Description`

			This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.

			`### POC`

			`#### Reference`
			`No PoCs from references.`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`