Wildfly Server Role-Based Access Control Vulnerability Allows Unauthorized Server Suspension or Resumption

A vulnerability exists in the Wildfly Server's Role Based Access Control (RBAC) provider. It allows users with Monitor or Auditor roles, who should only have read access, to suspend or resume the server. This issue arises because the Suspend and Resume handlers do not properly check if the user has the necessary permissions before allowing these actions. As a result, unauthorized users can disrupt server operations by suspending it, which stops the server from processing user requests, and then resuming it, which restores normal functionality.

Impact

Exploitation of this vulnerability allows unauthorized users to suspend or resume the server, disrupting its ability to process user requests. This could lead to service availability issues, as suspended servers stop receiving requests, causing potential downtime or delays in service.

Reproduction

To reproduce this vulnerability, log into a Wildfly server where RBAC access control is enabled and the RBAC provider is active. Then, use an account assigned to the Monitor or Auditor role to access the management operations. The server can be suspended or resumed, despite these roles only having permission for read access.

Remediation

This vulnerability has been addressed in WildFly Core versions 27.0.1.Final and 28.0.0.Beta2. Users should upgrade to these versions.