Bug 1372117 (CVE-2016-6345)

Summary: CVE-2016-6345 RESTEasy: Insufficient use of random values in RESTEasy async jobs could lead to loss of data confidentiality
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: 870022574, aileenc, alazarot, alee, aszczucz, bbaranow, bcourt, bdawidow, bkearney, bmaxwell, bmcclain, cbillett, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, drieden, eedri, epp-bugs, etirelli, fnasser, gvarsami, huwang, java-sig-commits, jawilson, jboss-set, jcoleman, jdg-bugs, jmatthew, jolee, jpallich, jshepherd, katello-bugs, kverlaen, ldimaggi, lgao, lsurette, lzap, mbaluch, mgoldboi, mhulan, michal.skrivanek, mmccune, mstead, mweiler, mwinkler, myarboro, nwallace, ohadlevy, pdrozd, pkliczew, pslavice, puntogil, rcernich, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, satellite6-bugs, soa-p-jira, sthorger, tcunning, theute, tkirby, tlestach, tomckay, tsanders, ttarrant, twalsh, vtunka, weli, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: resteasy 3.1.0.CR1, resteasy 3.0.20.Final Doc Type: If docs needed, set a value
Doc Text:
It was found that there was insufficient use of randam values in RESTEasy async jobs. An attacker could use this flaw to steal user data.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:54:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1372118, 1471273, 1471274, 1480769, 1914368    
Bug Blocks: 1371804, 1372141, 1372565, 1372568, 1372571    

Description Jason Shepherd 2016-09-01 00:30:16 UTC 
It was found that there was insufficient use of randam values in RESTEasy async jobs. An attacker could use this flaw to steal user data.
Comment 1 Jason Shepherd 2016-09-01 00:31:07 UTC 
Acknowledgments:

Name: Mikhail Egorov (Odin)
Comment 2 Jason Shepherd 2016-09-01 00:32:26 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1372118]
Comment 4 Jason Shepherd 2016-09-01 04:48:07 UTC 
Mitigation:

Don't enable Async Jobs Service as details in the section, "2.10. RESTEASY ASYNCHRONOUS JOB SERVICE" of JBoss EAP 7 Developing Web Services Applications documentation: https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/paged/developing-web-services-applications/chapter-2-developing-jax-rs-web-services
Comment 9 Kurt Seifried 2017-07-14 21:15:50 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1471273]
Comment 11 Kurt Seifried 2017-08-11 20:40:21 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1480769]