PRIOn knowledge basePRION:CVE-2019-3894

HistoryMay 03, 2019 - 8:29 p.m.

Code injection

2019-05-0320:29:00

PRIOn knowledge base

www.prio-n.com

9 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

79.2%

JSON

It was discovered that the ElytronManagedThread in Wildfly’s Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.

CPENameOperatorVersion
jboss_enterprise_application_platformeq7.0.0
wildflyge11.0.0
wildflyle16.0.0

Name	Operator	Version
jboss_enterprise_application_platform	eq	7.0.0
wildfly	ge	11.0.0
wildfly	le	16.0.0

References

access.redhat.com/errata/RHSA-2019:1106

access.redhat.com/errata/RHSA-2019:1107

access.redhat.com/errata/RHSA-2019:1108

access.redhat.com/errata/RHSA-2019:1140

bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3894

security.netapp.com/advisory/ntap-20190517-0004/