Bug 1483823 (CVE-2017-7561)
| Summary: | CVE-2017-7561 resteasy: Vary header not added by CORS filter leading to cache poisoning | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, avibelli, bdawidow, bgeorges, bmaxwell, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, drieden, jawilson, jbalunas, jcoleman, jolee, jpallich, jshepherd, krathod, lgao, loleary, lthon, mszynkie, myarboro, nwallace, pdrozd, pgallagh, pgier, psakar, pslavice, psotirop, rnetuka, rruss, rsvoboda, spinder, sthorger, theute, trogers, twalsh, vhalbert, vtunka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | resteasy 4.0.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
It was discovered that the CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 03:21:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1483824, 1527613 | ||
|
Description
Jason Shepherd
2017-08-22 04:33:59 UTC
Acknowledgments: Name: Jason Shepherd (Red Hat Product Security) RHMAP using RestEasy in UPS, but does not use CorsFilter class. Marking as not affected Fixed upstream in Resteasy 4.0.0 via https://issues.jboss.org/browse/RESTEASY-1704 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0004 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0005 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481 JDG 7.3 includes resteasy-jaxrs-3.6.1.SP2-redhat-00001.jar and I have verified that this jar contains the fix already hence marking JDG 7 as "not affected". RHSSO 7.3.5 ships : ./modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/org/jboss/resteasy/resteasy-jaxrs/main/resteasy-jaxrs-3.6.1.SP7-redhat-00001.jar which is not affected. |