A flaw was found in JBoss Enterprise Application Platform. The `processInvocation` function within the `org.jboss.as.ejb3.security.AuthorizationInterceptor` component incorrectly authorizes all requests when no roles are defined for an Enterprise Java Beans (EJB) method invocation. This allows attackers to bypass intended access restrictions for EJB methods, leading to unauthorized access to sensitive functionalities.
Security readout for executives and security teams
Plain-English summary
This flaw could let an unauthenticated network attacker reach EJB methods that administrators expected to be restricted. It occurs when no roles are defined for an EJB method and JBoss EAP authorization treats the call as allowed. Business impact is unauthorized access to sensitive application functions, with limited confidentiality and integrity impact per CVSS.
Executive priority
Treat as a moderate legacy-platform access-control issue. It should be prioritized where JBoss EAP 6 remains internet reachable, supports sensitive business functions, or runs without current vendor support. No source provided confirms active exploitation.
Technical view
CVE-2012-4549 affects Red Hat JBoss Enterprise Application Platform EJB authorization handling. The AuthorizationInterceptor processInvocation logic incorrectly permits invocations when an EJB method has no roles defined. The published vector is network reachable, low complexity, no privileges, no user interaction, unchanged scope, with low confidentiality and integrity impact.
Likely exposure
Most likely exposure is Red Hat JBoss Enterprise Application Platform 6 deployments, especially EAP 6 for RHEL 5 package builds listed in the source bundle. The bundle also marks JBoss EAP 6.0 default status as unaffected, so product-channel confirmation is important.
Exploitation context
The source bundle does not show CISA KEV listing or cited evidence of active exploitation. The vulnerability is remotely reachable and does not require authentication, but the practical risk depends on whether exposed EJB methods lack explicit role restrictions and provide sensitive operations.
Researcher notes
Evidence is limited to the CVE description, Red Hat advisories, and source metadata. The affected list contains broad EAP 6 for RHEL 5 package entries and an unaffected default status for EAP 6.0, so validate exact entitlement channel and installed build before declaring exposure.
Mitigation direction
Review Red Hat RHSA-2012:1591, RHSA-2012:1592, and RHSA-2012:1594 for applicable updates.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-266: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
1ADP providers
5Source links
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-266 · source CWE mapping
Incorrect Privilege Assignment
Incorrect Privilege Assignment represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.