Bug 1400644 (CVE-2016-9606)
| Summary: | CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abhgupta, aboyko, aileenc, alazarot, alee, asoldano, aszczucz, avibelli, bbaranow, bdawidow, bmaxwell, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dmcphers, dosoudil, drieden, etirelli, fnasser, gsterlin, hhorak, jason.greene, jawilson, jbalunas, jcoleman, jialiu, jokerman, jolee, jorton, jpallich, jshepherd, kanderso, kanovotn, krathod, kverlaen, lgao, lmeyer, lpetrovi, mbaluch, miburman, mizdebsk, mkopecky, mmccomas, mnewsome, mweiler, mwinkler, myarboro, nobody+bgollahe, nwallace, ohudlick, pdrozd, pgier, pjindal, psakar, pslavice, rnetuka, rrajasek, rsearls, rsigal, rsvoboda, rzhang, rzima, security-response-team, spinder, sthorger, theute, tiwillia, tkirby, twalsh, vhalbert, vtunka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | resteasy 3.0.22, resteasy 3.1.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:02:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1403661, 1404912 | ||
| Bug Blocks: | 1400646, 1460775 | ||
|
Description
Adam Mariš
2016-12-01 17:08:24 UTC
Acknowledgments: Name: Moritz Bechler (AgNO3 GmbH & Co. KG) For Resteasy, it's a requirement that the @Consumes() annotation doesn't define a mime type, or defines a multipart mime type. Explicitly defining 'text/x-yaml', would also make that endpoint vulnerable. If the @Consumes annotation explicitly defines a 'application/json', or 'application/xml' it is not vulnerable. Resteasy versions from 3.0-beta-1 up to and including 3.1.0.CR3 are potentially affected. Resteasy versions from 2.2.0.GA in the 2.x range are also potentially affected. EAP 7.0 is not affected because a bug in Resteasy which prevents the loading of YamlProvider in that version. The YamlProvider is unsupported: https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/paged/700-release-notes/chapter-3-unsupported-and-deprecated-functionality However we do plan to fix this issue in EAP 7.1 Mitigation: Add authentication and authorization to any Resteasy endpoint which doesn't define a mime type, or defines a multipart mime type. Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1404912] Upstream tracker can be found here: https://issues.jboss.org/browse/RESTEASY-1618 Please note that the previous CVE (CVE-2016-9571) was rejected in favor of the newly assigned CVE-2016-9606. This was because the CVE-2016-9571 ID was mistakenly double-assigned by MITRE to a Camel issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9571 Statement: YamlProvider was removed the default list of providers to prevent a malicous user from requesting a payload be marshalled with Yaml. If marshalling of Yaml content is desired, add, or append a file with the name 'META-INF/services/javax.ws.rs.ext.Providers' to your WAR, or JAR with the contents 'org.jboss.resteasy.plugins.providers.YamlProvider' If YamlProvider is re-added to the default list of providers it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerablilty. (In reply to Jason Shepherd from comment #15) > Upstream tracker can be found here: > https://issues.jboss.org/browse/RESTEASY-1618 According to the information in the still non-public RESTEASY-1618, this was fixed in resteasy 3.0.22 and 3.1.2. The following upstream commit references RESTEASY-1618: https://github.com/resteasy/Resteasy/commit/bccadffa2df8ecaff6616df18d2f3b1210866b99 It seems to disable Yaml provider. There is no mention of the change in the announcement blog post or upstream release notes: https://developer.jboss.org/en/resteasy/blog/2017/03/31/resteasy-312final-and-3022final-are-out https://issues.jboss.org/secure/ReleaseNote.jspa?version=12333793&styleName=Text&projectId=12310560&Create=Create https://issues.jboss.org/secure/ReleaseNote.jspa?version=12333792&styleName=Text&projectId=12310560&Create=Create This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1254 https://access.redhat.com/errata/RHSA-2017:1254 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:1253 https://access.redhat.com/errata/RHSA-2017:1253 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:1256 https://access.redhat.com/errata/RHSA-2017:1256 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.15 Via RHSA-2017:1255 https://access.redhat.com/errata/RHSA-2017:1255 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1260 https://access.redhat.com/errata/RHSA-2017:1260 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0.6 Via RHSA-2017:1409 https://rhn.redhat.com/errata/RHSA-2017-1409.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:1411 https://access.redhat.com/errata/RHSA-2017:1411 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:1410 https://access.redhat.com/errata/RHSA-2017:1410 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:1412 https://access.redhat.com/errata/RHSA-2017:1412 This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1676 This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2018:2909 https://access.redhat.com/errata/RHSA-2018:2909 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2018:2913 https://access.redhat.com/errata/RHSA-2018:2913 This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675 This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1676 |