| Summary: | CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, alazarot, alee, aszczucz, avibelli, bbaranow, bbuckingham, bcourt, bdawidow, bgeorges, bkearney, bmaxwell, bmcclain, btotty, cbillett, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dblechte, dosoudil, drieden, eedri, ehelms, epp-bugs, etirelli, fnasser, gvarsami, hhudgeon, huwang, java-sig-commits, jawilson, jbalunas, jboss-set, jbpapp-maint, jcoleman, jdg-bugs, jmatthew, jolee, jpallich, jshepherd, katello-bugs, kconner, krathod, kverlaen, ldimaggi, lgao, lpetrovi, lsurette, lthon, lzap, mbaluch, mgoldboi, mgoldman, mhulan, miburman, michal.skrivanek, mmccune, mstead, mszynkie, mweiler, mwinkler, myarboro, nwallace, ohadlevy, pdrozd, pgallagh, pgier, pkliczew, psakar, pslavice, psotirop, puntogil, rchan, Rhev-m-bugs, rjerrido, rnetuka, rrajasek, rruss, rsvoboda, rwagner, rzhang, satellite6-bugs, soa-p-jira, spinder, sthorger, tcunning, theute, tkirby, tlestach, tomckay, trogers, tsanders, ttarrant, twalsh, vhalbert, vtunka, weli, ykaul |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | resteasy 3.1.0.CR1, resteasy 3.0.20.Final | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:58:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1372122, 1372592, 1372593, 1372848, 1372849, 1456313, 1456314, 1456315, 1456316, 1456317, 1471275, 1471276, 1914370 | ||
| Bug Blocks: | 1371804, 1372141, 1372565, 1372568, 1372571, 1460775, 1527613 | ||
|
Description
Jason Shepherd
2016-09-01 00:44:29 UTC
Acknowledgments: Name: Mikhail Egorov (Odin) Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1372122] This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.14 Via RHSA-2017:0517 https://rhn.redhat.com/errata/RHSA-2017-0517.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:0828 https://rhn.redhat.com/errata/RHSA-2017-0828.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0827 https://rhn.redhat.com/errata/RHSA-2017-0827.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:0826 https://rhn.redhat.com/errata/RHSA-2017-0826.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:0829 https://rhn.redhat.com/errata/RHSA-2017-0829.html Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1456313] This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1676 This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675 Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1471275] This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0004 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0005 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2018:2143 https://access.redhat.com/errata/RHSA-2018:2143 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1676 Statement: This issue was fixed in EAP 7.1.0, but was not fixed in 7.0.7 On Red Hat Satellite 6.5 this issue is fixed through the candlepin package update (candlepin 2.5.8), which contains a non-vulnerable version of RESTEasy. This issue has been addressed in the following products: Red Hat Satellite 6.5 for RHEL 7 Via RHSA-2019:1222 https://access.redhat.com/errata/RHSA-2019:1222 |