Bug 1935927 (CVE-2021-20289) - CVE-2021-20289 resteasy: Error message exposes endpoint class information
Summary: CVE-2021-20289 resteasy: Error message exposes endpoint class information
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20289
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1936941 1938279 1941544 1941545 1941546
Blocks: 1935929 1939063 1939790 2014197
TreeView+ depends on / blocked
 
Reported: 2021-03-05 19:59 UTC by Pedro Sampaio
Modified: 2022-09-09 07:12 UTC (History)
115 users (show)

Fixed In Version: resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.Final. The endpoint class and method names are returned as part of the exception response when RESTEasy cannot convert one of the request URI path or query values to the matching JAX-RS resource method's parameter value. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed: 2021-09-30 12:21:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3700 0 None None None 2021-09-30 09:57:53 UTC
Red Hat Product Errata RHSA-2021:3880 0 None None None 2021-10-20 11:29:55 UTC
Red Hat Product Errata RHSA-2021:4100 0 None None None 2021-11-02 12:42:44 UTC
Red Hat Product Errata RHSA-2021:4676 0 None None None 2021-11-15 17:16:37 UTC
Red Hat Product Errata RHSA-2021:4677 0 None None None 2021-11-15 17:16:50 UTC
Red Hat Product Errata RHSA-2021:4679 0 None None None 2021-11-15 17:06:43 UTC
Red Hat Product Errata RHSA-2021:4767 0 None None None 2021-11-23 10:34:56 UTC
Red Hat Product Errata RHSA-2021:5149 0 None None None 2021-12-15 14:49:32 UTC
Red Hat Product Errata RHSA-2021:5150 0 None None None 2021-12-15 14:35:25 UTC
Red Hat Product Errata RHSA-2021:5151 0 None None None 2021-12-15 14:41:01 UTC
Red Hat Product Errata RHSA-2021:5154 0 None None None 2021-12-15 14:42:38 UTC
Red Hat Product Errata RHSA-2021:5170 0 None None None 2021-12-15 19:08:55 UTC
Red Hat Product Errata RHSA-2022:0146 0 None None None 2022-01-17 12:03:00 UTC
Red Hat Product Errata RHSA-2022:0151 0 None None None 2022-01-17 21:31:29 UTC
Red Hat Product Errata RHSA-2022:0152 0 None None None 2022-01-17 21:30:36 UTC
Red Hat Product Errata RHSA-2022:0155 0 None None None 2022-01-17 21:46:38 UTC
Red Hat Product Errata RHSA-2022:0164 0 None None None 2022-01-18 14:53:44 UTC
Red Hat Product Errata RHSA-2022:1179 0 None None None 2022-04-12 19:06:22 UTC
Red Hat Product Errata RHSA-2022:6407 0 None None None 2022-09-09 07:12:27 UTC

Description Pedro Sampaio 2021-03-05 19:59:45 UTC 
A flaw was found in resteasy. The endpoint class and method names are returned as part of the exception response when Resteasy can not convert one of the request URI path/query/matrix parameters to a value expected by a given class resource/method method parameter.

References:

https://issues.redhat.com/browse/RESTEASY-2843
Comment 8 Alexander Scheel 2021-03-16 23:20:09 UTC 
JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will be fixed in the upcoming release 4.7.0.Final.
Comment 9 Ted Jongseok Won 2021-03-17 04:50:03 UTC 
In reply to comment #8:
> JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE
> is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will
> be fixed in the upcoming release 4.7.0.Final.

Thank you for pointing out it. We've fixed it. Thanks!
Comment 10 Ted Jongseok Won 2021-03-22 04:09:51 UTC 
Acknowledgments:

Name: Dirk Papenberg (NTT DATA Germany)
Comment 11 Riccardo Schirone 2021-03-22 10:53:03 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1941544]
Comment 26 Ted Jongseok Won 2021-07-21 05:46:09 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Data Grid 7
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 29 errata-xmlrpc 2021-09-30 09:57:48 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ 7.9.0

Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
Comment 30 Product Security DevOps Team 2021-09-30 12:21:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20289
Comment 32 errata-xmlrpc 2021-10-20 11:29:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.3

Via RHSA-2021:3880 https://access.redhat.com/errata/RHSA-2021:3880
Comment 33 errata-xmlrpc 2021-11-02 12:42:38 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.0.2 GA

Via RHSA-2021:4100 https://access.redhat.com/errata/RHSA-2021:4100
Comment 35 errata-xmlrpc 2021-11-15 17:06:38 UTC 
This issue has been addressed in the following products:

  EAP 7.4.2 release

Via RHSA-2021:4679 https://access.redhat.com/errata/RHSA-2021:4679
Comment 36 errata-xmlrpc 2021-11-15 17:16:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2021:4676 https://access.redhat.com/errata/RHSA-2021:4676
Comment 37 errata-xmlrpc 2021-11-15 17:16:46 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2021:4677 https://access.redhat.com/errata/RHSA-2021:4677
Comment 38 errata-xmlrpc 2021-11-23 10:34:53 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
Comment 39 errata-xmlrpc 2021-12-15 14:35:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:5150 https://access.redhat.com/errata/RHSA-2021:5150
Comment 40 errata-xmlrpc 2021-12-15 14:40:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:5151 https://access.redhat.com/errata/RHSA-2021:5151
Comment 41 errata-xmlrpc 2021-12-15 14:42:34 UTC 
This issue has been addressed in the following products:

  EAP 7.3.10 GA

Via RHSA-2021:5154 https://access.redhat.com/errata/RHSA-2021:5154
Comment 42 errata-xmlrpc 2021-12-15 14:49:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:5149 https://access.redhat.com/errata/RHSA-2021:5149
Comment 43 errata-xmlrpc 2021-12-15 19:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.10

Via RHSA-2021:5170 https://access.redhat.com/errata/RHSA-2021:5170
Comment 44 errata-xmlrpc 2022-01-17 12:02:54 UTC 
This issue has been addressed in the following products:

  Red Hat EAP-XP 2 via EAP 7.3.x base

Via RHSA-2022:0146 https://access.redhat.com/errata/RHSA-2022:0146
Comment 45 errata-xmlrpc 2022-01-17 21:30:31 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:0152 https://access.redhat.com/errata/RHSA-2022:0152
Comment 46 errata-xmlrpc 2022-01-17 21:31:23 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:0151 https://access.redhat.com/errata/RHSA-2022:0151
Comment 47 errata-xmlrpc 2022-01-17 21:46:33 UTC 
This issue has been addressed in the following products:

  RHSSO 7.5.1

Via RHSA-2022:0155 https://access.redhat.com/errata/RHSA-2022:0155
Comment 48 errata-xmlrpc 2022-01-18 14:53:39 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0164 https://access.redhat.com/errata/RHSA-2022:0164
Comment 49 errata-xmlrpc 2022-04-12 19:06:17 UTC 
This issue has been addressed in the following products:

  Red Hat Support for Spring Boot 2.5.10

Via RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179
Comment 50 errata-xmlrpc 2022-09-09 07:12:22 UTC 
This issue has been addressed in the following products:

  RHAF Camel-K 1.8

Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
Note You need to log in before you can comment on or make changes to this bug.