Bug 1372124 (CVE-2016-6347)

Summary: CVE-2016-6347 RESTEasy: Use of the default exception handler in RESTEasy can lead to reflected XSS attack
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, alee, aszczucz, bbaranow, bcourt, bdawidow, bkearney, bmaxwell, bmcclain, cbillett, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dblechte, dosoudil, drieden, eedri, epp-bugs, etirelli, fnasser, gvarsami, huwang, java-sig-commits, jawilson, jboss-set, jbpapp-maint, jcoleman, jdg-bugs, jmatthew, jolee, jpallich, jshepherd, katello-bugs, kconner, kverlaen, ldimaggi, lgao, lpetrovi, lsurette, lzap, mbaluch, mgoldboi, miburman, michal.skrivanek, mmccune, mstead, mweiler, mwinkler, myarboro, nwallace, ohadlevy, pdrozd, pgier, pkliczew, psakar, pslavice, puntogil, rcernich, rchan, Rhev-m-bugs, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, satellite6-bugs, soa-p-jira, spinder, sthorger, tbrisker, tcunning, theute, tkirby, tlestach, tomckay, tsanders, ttarrant, twalsh, vhalbert, vtunka, weli, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20160901,reported=20160829,source=researcher,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,cvss3=5.4/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N,cwe=CWE-20,eap-7/REST=affected,fedora-all/resteasy=affected,eap-6/RESTEasy=notaffected,eap-5/jbossas=wontfix,bpms-6/Build and Assembly=notaffected,brms-6/Build and Assembly=notaffected,jdg-6/Build=notaffected,jdv-6/Productization=notaffected,brms-5/Security=wontfix,soap-5/Security=wontfix,fsw-6/SwitchYard=notaffected,fuse-6/SwitchYard=affected,jon-3/REST=wontfix,jpp-6/Requirements=notaffected,rhsso-7/Core=notaffected,rhev-m-3/vdsm-jsonrpc-java=new,rhn_satellite_6/Security=wontfix,sam-1/katello=new,jdg-7/resteasy=affected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the default exception handler in RESTEasy did not properly validate user input. An attacker could use this flaw to launch a relected XSS attack.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1372125, 1471277, 1590941, 1471278    
Bug Blocks: 1371804, 1372141, 1372565, 1372568, 1372571    

Description Jason Shepherd 2016-09-01 01:09:47 UTC
It was found that the default exception handler in RESTEasy did not properly validate user input. An attacker could use this flaw to launch a relected XSS attack.

Comment 1 Jason Shepherd 2016-09-01 01:09:51 UTC
Acknowledgments:

Name: Mikhail Egorov (Odin)

Comment 2 Jason Shepherd 2016-09-01 01:11:11 UTC
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1372125]

Comment 6 Kurt Seifried 2017-07-14 21:15:54 UTC
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1471277]

Comment 9 Kurt Seifried 2018-06-13 16:58:44 UTC
Statement:

This issue affects the versions of RESTEasy as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having a security impact of Moderate. Additionally Red Hat Satellite does not use the default ExceptionMapper, and the custom exception handler does not allow return type of text/html. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 10 Kurt Seifried 2018-06-13 16:59:35 UTC
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1590941]