VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 14, 2019· Updated Aug 5, 2024

CVE-2019-14838

CVE-2019-14838

Description

In wildfly-core before 7.2.5.GA, users with Monitor, Auditor, or Deployer roles could improperly modify runtime state, violating access controls.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In wildfly-core before 7.2.5.GA, users with Monitor, Auditor, or Deployer roles could improperly modify runtime state, violating access controls.

Vulnerability

Description A flaw in wildfly-core versions prior to 7.2.5.GA allowed users assigned to the Monitor, Auditor, and Deployer roles to modify the runtime state of the server [1][2][3]. This violates the intended access control, as these roles should only have read or limited privileges.

Exploitation

An attacker with valid management credentials and one of these roles can exploit the flaw by sending requests to the management interface to change runtime configurations [1][2][3]. No additional privileges are required beyond the assigned role.

Impact

Successful exploitation could lead to unauthorized modifications to the server's runtime state, potentially causing disruption or other malicious actions. Red Hat rated this as Important severity [1][2][3].

Mitigation

The issue is fixed in wildfly-core 7.2.5.GA. Users should update to Red Hat JBoss Enterprise Application Platform 7.2.5 or later [1][2][3].

References
  1. https://access.redhat.com/errata/RHSA-2019:4020
  2. https://access.redhat.com/errata/RHSA-2019:4019
  3. https://access.redhat.com/errata/RHSA-2019:4018

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.wildfly.core:wildfly-host-controllerMaven
< 7.2.5.GA7.2.5.GA

Affected products

2

Patches

1
131fa6880ae1

Merge pull request #3981 from gaol/CVE-2019-14838-master-core

https://github.com/wildfly/wildfly-coreJeff MesnilOct 14, 2019via ghsa
commit
6 files changed · +88 29
  • host-controller/src/main/java/org/jboss/as/domain/controller/operations/DomainServerLifecycleHandlers.java+2 2 modified
    @@ -513,7 +513,7 @@ public void execute(OperationContext context, ModelNode operation) throws Operat
             context.addStep(new OperationStepHandler() {
                 @Override
                 public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
-                    context.authorize(operation, EnumSet.of(Action.ActionEffect.WRITE_RUNTIME));
+                    context.authorize(operation, EnumSet.of(Action.ActionEffect.WRITE_RUNTIME)).failIfDenied(operation);
                     context.completeStep(new OperationContext.ResultHandler() {
                         @Override
                         public void handleResult(OperationContext.ResultAction resultAction, OperationContext context, ModelNode operation) {
@@ -551,7 +551,7 @@ public void execute(OperationContext context, ModelNode operation) throws Operat
             context.addStep(new OperationStepHandler() {
                 @Override
                 public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
-                    context.authorize(operation, EnumSet.of(Action.ActionEffect.WRITE_RUNTIME));
+                    context.authorize(operation, EnumSet.of(Action.ActionEffect.WRITE_RUNTIME)).failIfDenied(operation);
                     context.completeStep(new OperationContext.ResultHandler() {
                         @Override
                         public void handleResult(OperationContext.ResultAction resultAction, OperationContext context, ModelNode operation) {
  • host-controller/src/main/java/org/jboss/as/host/controller/operations/ServerProcessHandlers.java+1 1 modified
    @@ -49,7 +49,7 @@ public void execute(final OperationContext context, final ModelNode operation) t
         context.addStep(new OperationStepHandler() {
             @Override
             public void execute(OperationContext context, ModelNode operation) throws OperationFailedException {
-                context.authorize(operation, EnumSet.of(Action.ActionEffect.WRITE_RUNTIME));
+                context.authorize(operation, EnumSet.of(Action.ActionEffect.WRITE_RUNTIME)).failIfDenied(operation);
                 context.completeStep(new OperationContext.ResultHandler() {
                     @Override
                     public void handleResult(OperationContext.ResultAction resultAction, OperationContext context, ModelNode operation) {
  • host-controller/src/main/java/org/jboss/as/host/controller/operations/ServerStopHandler.java+1 1 modified
    @@ -71,7 +71,7 @@ public void execute(OperationContext context, ModelNode operation) throws Operat
                 // If another op that is a step in a composite step with this op needs to modify the container
                 // it will have to wait for container stability, so skipping this only matters for the case
                 // where this step is the only runtime change.
-                context.authorize(operation, EnumSet.of(Action.ActionEffect.WRITE_RUNTIME));
+                context.authorize(operation, EnumSet.of(Action.ActionEffect.WRITE_RUNTIME)).failIfDenied(operation);
 
                 final ServerStatus status = serverInventory.stopServer(serverName, timeout, blocking);
                 try {
  • testsuite/domain/src/test/java/org/jboss/as/test/integration/domain/rbac/AbstractHostScopedRolesTestCase.java+18 0 modified
    @@ -163,6 +163,12 @@ public void testMonitor() throws Exception {
 
         testWLFY2299(client, Outcome.UNAUTHORIZED, MONITOR_USER);
         restartServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, MONITOR_USER);
+
+        stopServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, MONITOR_USER);
+        killServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, MONITOR_USER);
+        destroyServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, MONITOR_USER);
+        killServersInGroup(client, Outcome.UNAUTHORIZED, MONITOR_USER);
+        destroyServersInGroup(client, Outcome.UNAUTHORIZED, MONITOR_USER);
     }
 
     @Test
@@ -261,6 +267,12 @@ public void testDeployer() throws Exception {
 
         testWLFY2299(client, Outcome.UNAUTHORIZED, DEPLOYER_USER);
         restartServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, DEPLOYER_USER);
+
+        stopServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, DEPLOYER_USER);
+        killServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, DEPLOYER_USER);
+        destroyServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, DEPLOYER_USER);
+        killServersInGroup(client, Outcome.UNAUTHORIZED, DEPLOYER_USER);
+        destroyServersInGroup(client, Outcome.UNAUTHORIZED, DEPLOYER_USER);
     }
 
     @Test
@@ -326,6 +338,12 @@ public void testAuditor() throws Exception {
 
         testWLFY2299(client, Outcome.UNAUTHORIZED, AUDITOR_USER);
         restartServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, AUDITOR_USER);
+
+        stopServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, AUDITOR_USER);
+        killServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, AUDITOR_USER);
+        destroyServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, AUDITOR_USER);
+        killServersInGroup(client, Outcome.UNAUTHORIZED, AUDITOR_USER);
+        destroyServersInGroup(client, Outcome.UNAUTHORIZED, AUDITOR_USER);
     }
 
     @Test
  • testsuite/domain/src/test/java/org/jboss/as/test/integration/domain/rbac/AbstractRbacTestCase.java+48 25 modified
    @@ -22,31 +22,7 @@
 
 package org.jboss.as.test.integration.domain.rbac;
 
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ACCESS_CONTROL;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ADD;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.AUTO_START;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.BLOCKING;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.BYTES;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.CHILD_TYPE;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.CONTENT;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.DESCRIBE;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.ENABLED;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.GROUP;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.HOST;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OPERATIONS;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.OUTCOME;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.PASSWORD;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.PATH;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.PROFILE;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.READ_CHILDREN_NAMES_OPERATION;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.READ_CONFIG_AS_XML_OPERATION;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.READ_RESOURCE_DESCRIPTION_OPERATION;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.READ_RESOURCE_OPERATION;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.REMOVE;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.RESTART;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.RESULT;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SUBSYSTEM;
-import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.SUCCESS;
+import static org.jboss.as.controller.descriptions.ModelDescriptionConstants.*;
 import static org.jboss.as.test.integration.management.util.ModelUtil.createOpNode;
 import static org.junit.Assert.assertEquals;
 
@@ -313,6 +289,53 @@ protected void restartServer(ModelControllerClient client, String host, String s
         RbacUtil.executeOperation(client, op, expectedOutcome);
     }
 
+    protected void stopServer(ModelControllerClient client, String host, String server,
+                                 Outcome expectedOutcome, String... roles) throws IOException {
+        String fullAddress = String.format("host=%s/server-config=%s", host, server);
+        ModelNode op = createOpNode(fullAddress, STOP);
+        op.get(BLOCKING).set(true);
+        configureRoles(op, roles);
+        RbacUtil.executeOperation(client, op, expectedOutcome);
+    }
+
+    protected void killServer(ModelControllerClient client, String host, String server,
+                              Outcome expectedOutcome, String... roles) throws IOException {
+        String fullAddress = String.format("host=%s/server-config=%s", host, server);
+        ModelNode op = createOpNode(fullAddress, KILL);
+        op.get(BLOCKING).set(true);
+        configureRoles(op, roles);
+        RbacUtil.executeOperation(client, op, expectedOutcome);
+    }
+
+    protected void destroyServer(ModelControllerClient client, String host, String server,
+                              Outcome expectedOutcome, String... roles) throws IOException {
+        String fullAddress = String.format("host=%s/server-config=%s", host, server);
+        ModelNode op = createOpNode(fullAddress, DESTROY);
+        op.get(BLOCKING).set(true);
+        configureRoles(op, roles);
+        RbacUtil.executeOperation(client, op, expectedOutcome);
+    }
+
+    protected void killServersInGroup(ModelControllerClient client, Outcome expectedOutcome, String... roles)
+            throws IOException {
+        final String serverGroupAddress = String.format("server-group=%s", SERVER_GROUP_A);
+        // check
+        ModelNode op = createOpNode(serverGroupAddress, KILL_SERVERS);
+        op.get(BLOCKING).set(true);
+        configureRoles(op, roles);
+        RbacUtil.executeOperation(client, op, expectedOutcome);
+    }
+
+    protected void destroyServersInGroup(ModelControllerClient client, Outcome expectedOutcome, String... roles)
+            throws IOException {
+        final String serverGroupAddress = String.format("server-group=%s", SERVER_GROUP_A);
+        // check
+        ModelNode op = createOpNode(serverGroupAddress, DESTROY_SERVERS);
+        op.get(BLOCKING).set(true);
+        configureRoles(op, roles);
+        RbacUtil.executeOperation(client, op, expectedOutcome);
+    }
+
     protected ModelNode getServerConfigAccessControl(ModelControllerClient client, String... roles) throws IOException {
         ModelNode op = createOpNode(GENERIC_SERVER_CONFIG_ADDRESS, READ_RESOURCE_DESCRIPTION_OPERATION);
         op.get(ACCESS_CONTROL).set("trim-descriptions");
  • testsuite/domain/src/test/java/org/jboss/as/test/integration/domain/rbac/AbstractStandardRolesTestCase.java+18 0 modified
    @@ -98,6 +98,12 @@ public void testMonitor() throws Exception {
 
         // Monitor can't shutdown
         testWCORE1067(client, MONITOR_USER);
+
+        stopServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, MONITOR_USER);
+        killServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, MONITOR_USER);
+        destroyServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, MONITOR_USER);
+        killServersInGroup(client, Outcome.UNAUTHORIZED, MONITOR_USER);
+        destroyServersInGroup(client, Outcome.UNAUTHORIZED, MONITOR_USER);
     }
 
     @Test
@@ -169,6 +175,12 @@ public void testDeployer() throws Exception {
 
         // Deployer can't shutdown
         testWCORE1067(client, DEPLOYER_USER);
+
+        stopServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, DEPLOYER_USER);
+        killServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, DEPLOYER_USER);
+        destroyServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, DEPLOYER_USER);
+        killServersInGroup(client, Outcome.UNAUTHORIZED, DEPLOYER_USER);
+        destroyServersInGroup(client, Outcome.UNAUTHORIZED, DEPLOYER_USER);
     }
 
     @Test
@@ -218,6 +230,12 @@ public void testAuditor() throws Exception {
 
         // Auditor can't shutdown
         testWCORE1067(client, AUDITOR_USER);
+
+        stopServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, AUDITOR_USER);
+        killServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, AUDITOR_USER);
+        destroyServer(client, MASTER, MASTER_A, Outcome.UNAUTHORIZED, AUDITOR_USER);
+        killServersInGroup(client, Outcome.UNAUTHORIZED, AUDITOR_USER);
+        destroyServersInGroup(client, Outcome.UNAUTHORIZED, AUDITOR_USER);
     }
 
     @Test

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

16

News mentions

0

No linked articles in our index yet.