PatchSiren

PatchSiren cyber security CVE debrief

CVE-2012-4550 Redhat CVE debrief

CVE-2012-4550 describes an access-control flaw in Red Hat JBoss Enterprise Application Platform. When role-based authorization is used for Enterprise Java Beans (EJB) access, the platform may fail to invoke the required authorization modules, which prevents Java Authorization Contract for Containers (JACC) permissions from being enforced. The result is that a remote attacker may gain unauthorized access to EJBs. NVD records the issue as medium severity with a network attack vector and no user interaction required.

Vendor
Redhat
Product
CVE-2012-4550
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2013-01-05
Original CVE updated
2026-05-14
Advisory published
2013-01-05
Advisory updated
2026-05-14

Who should care

Security teams and administrators running Red Hat JBoss Enterprise Application Platform 6.0.0, especially deployments that use role-based authorization for EJB access and rely on JACC for access control.

Technical summary

The vulnerability is an improper access-control condition (CWE-280, with NVD also mapping CWE-264) in EJB authorization handling. According to the record, the system does not correctly call the necessary authorization modules when role-based authorization is used, so JACC permissions are not applied as intended. The vulnerable CPE listed in NVD is Red Hat JBoss Enterprise Application Platform 6.0.0. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating remote, low-complexity exploitation with confidentiality impact only.

Defensive priority

Medium. The issue is remotely reachable and requires no privileges or user interaction, but the recorded impact is limited to low confidentiality exposure. Prioritize it for internet-facing or broadly accessible EJB deployments that depend on role-based authorization and JACC.

Recommended defensive actions

  • Determine whether any JBoss Enterprise Application Platform deployments run version 6.0.0 and use role-based EJB authorization.
  • Review whether those deployments depend on JACC-enforced permissions for access control.
  • Apply the relevant Red Hat security advisories referenced in the vendor notices (RHSA-2012-1591, RHSA-2012-1592, RHSA-2012-1594) or the current Red Hat security guidance for this CVE.
  • Validate post-update authorization behavior for EJB endpoints to confirm that expected access controls are being enforced.
  • Restrict exposure of EJB services where possible until remediation is confirmed.

Evidence notes

The CVE description states that role-based authorization for EJB access can fail to invoke the needed authorization modules, preventing JACC permissions from being applied and enabling unauthorized EJB access. NVD lists the affected CPE as redhat:jboss_enterprise_application_platform:6.0.0 and classifies the issue with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. Vendor advisory references are present from Red Hat security errata pages. Published date supplied in the corpus is 2013-01-05; modified date is 2026-05-14.

Official resources

This CVE was published on 2013-01-05, and the supplied NVD record was last modified on 2026-05-14. The timeline in this debrief follows the provided CVE publication date, not the later record modification date.