Bug 1535411 (CVE-2018-1051)

Summary: CVE-2018-1051 resteasy: Unsafe unmarshalling in YamlProvider allows code execution
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, alee, anstephe, bcourt, bdawidow, bkearney, bmaxwell, bmcclain, cbillett, cdewolf, chazlett, csutherl, darran.lofthouse, dblechte, dffrench, dimitris, dosoudil, drieden, drusso, edewata, eedri, etirelli, fgavrilo, gvarsami, ibek, java-sig-commits, jawilson, jcoleman, jmadigan, jmatthew, jolee, jondruse, jshepherd, jstastny, kconner, krathod, kverlaen, ldimaggi, lgao, lgriffin, loleary, lpetrovi, mgoldboi, michal.skrivanek, mmccune, myarboro, ngough, nwallace, ohadlevy, paradhya, pdrozd, pgier, ppalaga, psakar, psampaio, pslavice, psotirop, puntogil, pwright, rchan, rnetuka, rrajasek, rstancel, rsvoboda, rsynek, rwagner, rzhang, sdaley, security-response-team, sherold, spinder, sthorger, tcunning, theute, tkirby, tomckay, trepel, tsanders, twalsh, vhalbert, vtunka, weli, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-12 13:04:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1536223, 1539175, 1539176, 1539177, 1539178, 1539179, 1598370    
Bug Blocks: 1535413    

Description Adam Mariš 2018-01-17 10:42:28 UTC 
It was found that fix for CVE-2016-9606 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider.
Comment 3 Jason Shepherd 2018-01-18 07:02:43 UTC 
resteasy-yaml-provider is marked as unsupported here. Marking EAP 7 as not affected
https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.0/paged/7.0.0_release_notes/release_notes_unsupported_and_deprecated_functionality
Comment 5 Jason Shepherd 2018-01-18 08:14:23 UTC 
Mitigation:

If the YamlProvider is enabled it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerability.
Comment 9 Jason Shepherd 2018-01-23 05:23:39 UTC 
This won't be fixed in JBoss EAP 6.4, or 7.1 as the YamlProvider in RESTEasy is unsupported.
Comment 10 Jason Shepherd 2018-01-24 03:41:08 UTC 
Acknowledgments:

Name: Rui Chong (Baidu)
Comment 12 Kurt Seifried 2018-01-26 20:03:57 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1539175]
Comment 18 Doran Moppert 2018-07-05 08:45:41 UTC 
Statement:

This issue only affects applications which have the YamlProvider explicitly enabled by adding or appending a file with the name 'META-INF/services/javax.ws.rs.ext.Providers' to your WAR, or JAR with the contents 'org.jboss.resteasy.plugins.providers.YamlProvider'

resteasy-base as shipped in Red Hat Enterprise Linux 7 does not include YamlProvider.

Red Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates.

This issue affects the versions of resteasy as shipped with Red Hat Satellite version 6, however Satellite version 6 does not use the affected functionality. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue.

For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 20 Joshua Padman 2019-05-15 22:43:40 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Data Grid 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss SOA Platform 5
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 22 Product Security DevOps Team 2019-07-12 13:04:56 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1051