Headline
CVE-2021-3503: [WFLY-11933] Error when accessing metrics with RBAC enabled
A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data.
Accordingly to https://docs.wildfly.org/17/Admin_Guide.html#http-endpoint-2 and https://wildscribe.github.io/WildFly/17.0/subsystem/microprofile-metrics-smallrye/index.html, access to metrics endpoint is controlled by the security-enabled attribute.
When this attribute is set to false, there is an Exception when metrics are accessed. By default, this attribute is set to false on standalone.xml config.
Please, refer to steps to reproduce. This error occurs only when RBAC are enabled.
When RBAC is enabled for management in Wildfly, metrics throws exception:
java.lang.IllegalStateException: WFLYMETRICS0003: Unable to read attribute XAForgetAverageTime on [
(“subsystem” => “datasources”),
(“data-source” => “ExampleDS”),
(“statistics” => “pool”)
]: “WFLYCTL0216: Management resource '[
(\"subsystem\” => \"datasources\"),
(\"data-source\" => \"ExampleDS\"),
(\"statistics\" => \"pool\")
]' not found".