Bug 1372124 (CVE-2016-6347)

Summary: CVE-2016-6347 RESTEasy: Use of the default exception handler in RESTEasy can lead to reflected XSS attack
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, alee, aszczucz, bbaranow, bcourt, bdawidow, bkearney, bmaxwell, bmcclain, cbillett, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dblechte, dmoluguw, dosoudil, drieden, eedri, epp-bugs, etirelli, fnasser, gvarsami, huwang, java-sig-commits, jawilson, jboss-set, jbpapp-maint, jcoleman, jdg-bugs, jmatthew, jolee, jpallich, jshepherd, katello-bugs, kverlaen, ldimaggi, lgao, lsurette, lzap, mbaluch, mgoldboi, miburman, michal.skrivanek, mmccune, mstead, mweiler, mwinkler, myarboro, nwallace, ohadlevy, pdrozd, pgier, pkliczew, psakar, pslavice, puntogil, rcernich, rchan, Rhev-m-bugs, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, satellite6-bugs, soa-p-jira, sthorger, tcunning, theute, tkirby, tlestach, tomckay, tsanders, ttarrant, twalsh, vhalbert, vtunka, weli, ykaul
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: resteasy 3.1.0.CR1, resteasy 3.0.20.Final Doc Type: If docs needed, set a value
Doc Text:
It was found that the default exception handler in RESTEasy did not properly validate user input. An attacker could use this flaw to launch a relected XSS attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:54:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1372125, 1471277, 1471278, 1590941, 1914372    
Bug Blocks: 1371804, 1372141, 1372565, 1372568, 1372571    

Description Jason Shepherd 2016-09-01 01:09:47 UTC 
It was found that the default exception handler in RESTEasy did not properly validate user input. An attacker could use this flaw to launch a relected XSS attack.
Comment 1 Jason Shepherd 2016-09-01 01:09:51 UTC 
Acknowledgments:

Name: Mikhail Egorov (Odin)
Comment 2 Jason Shepherd 2016-09-01 01:11:11 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1372125]
Comment 6 Kurt Seifried 2017-07-14 21:15:54 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1471277]
Comment 9 Kurt Seifried 2018-06-13 16:58:44 UTC 
Statement:

This issue affects the versions of RESTEasy as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having a security impact of Moderate. Additionally Red Hat Satellite does not use the default ExceptionMapper, and the custom exception handler does not allow return type of text/html. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 10 Kurt Seifried 2018-06-13 16:59:35 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1590941]
Comment 11 Dinesh Prasanth 2019-10-21 19:40:55 UTC 
The reported issue has been fixed by rebasing to resteasy 3.0.26

Rawhide/f32: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403302
F31: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403312
F30: https://koji.fedoraproject.org/koji/buildinfo?buildID=1403309

Closing this bug as CURRENTRELEASE