PatchSiren

PatchSiren cyber security CVE debrief

CVE-2012-4549 Redhat CVE debrief

CVE-2012-4549 is an access-control flaw in Red Hat JBoss Enterprise Application Platform. When an EJB method invocation has no roles defined, the AuthorizationInterceptor processInvocation path can incorrectly authorize the request instead of denying it. In practice, that can expose sensitive EJB functionality to unauthenticated or otherwise unauthorized network attackers.

Vendor
Redhat
Product
CVE-2012-4549
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2013-01-05
Original CVE updated
2026-05-14
Advisory published
2013-01-05
Advisory updated
2026-05-14

Who should care

Administrators, developers, and security teams running Red Hat JBoss Enterprise Application Platform, especially deployments that rely on EJB role-based authorization. Any environment exposing EJB methods should verify that its access-control rules are explicit and that vendor advisories have been applied.

Technical summary

The NVD record describes a flaw in org.jboss.as.ejb3.security.AuthorizationInterceptor::processInvocation where the authorization logic treats the absence of defined roles as authorization success for an EJB method invocation. The result is an authorization bypass affecting JBoss Enterprise Application Platform releases identified in the NVD CPE data, including explicit entries for 4.2.0, 4.3.0, and 5.0.0 through 5.2.2, with a broader vulnerable range listed up to 6.0.0. The weakness is classified by Red Hat as CWE-266 and by NVD as CWE-264.

Defensive priority

Medium priority for any organization running affected JBoss EAP instances, because the issue is network-exploitable, requires no user interaction, and can expose sensitive application functionality through authorization bypass.

Recommended defensive actions

  • Apply the relevant Red Hat security advisory for your installed JBoss Enterprise Application Platform stream: RHSA-2012-1591, RHSA-2012-1592, or RHSA-2012-1594, as applicable.
  • Confirm whether any deployed EJB methods rely on implicit deny behavior when no roles are defined, and explicitly define access rules for sensitive methods.
  • Review application and container authorization settings for EJB endpoints to ensure unauthenticated access is not possible.
  • Inventory JBoss EAP versions in use and compare them against the affected CPE entries in the NVD record before scheduling remediation.
  • Validate remediation by retesting role-based access control paths for representative EJB invocations after patching.

Evidence notes

The source corpus identifies the issue as CVE-2012-4549 and links it to Red Hat JBoss Enterprise Application Platform. NVD lists the vulnerable CPE for redhat:jboss_enterprise_application_platform with explicit versions 4.2.0, 4.3.0, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, and 5.2.2, plus a broader vulnerable criteria ending at 6.0.0. The CVSS vector supplied is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, supporting network reachability, no privileges required, and no user interaction. PublishedAt is 2013-01-05T00:55:02.947Z; the 2026-05-14 modified timestamp reflects record maintenance, not the original disclosure date.

Official resources

Publicly disclosed in the CVE/NVD record on 2013-01-05. The later 2026-05-14 modified timestamp in the source corpus indicates record updates, not the original vulnerability date.