Bug 1855826 (CVE-2020-14326)
Summary: | CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aboyko, aileenc, alee, asoldano, atangrin, avibelli, bbaranow, bgeorges, bibryam, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dkreling, dosoudil, drieden, ganandan, ggaughan, gmalinko, gsmet, iweiss, janstey, jawilson, jbalunas, jboss-set, jnethert, jochrist, jpallich, jperkins, jwon, krathod, kwills, lgao, lthon, msochure, msvehla, mszynkie, nwallace, pantinor, pgallagh, pjindal, pmackay, psotirop, rguimara, rhcs-maint, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, smaestri, tom.jenkinson, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | resteasy 4.5.6.Final | Doc Type: | If docs needed, set a value |
Doc Text: |
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-07-30 19:27:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1855263 |
Description
Michael Kaplan
2020-07-10 15:40:34 UTC
Acknowledgments: Name: Ben Manes (Vector) Red Hat Enterprise Linux 7 and 8 do not ship versions of RESTEasy that are affected by this flaw, as the vulnerable code was introduced in newer versions. This issue has been addressed in the following products: Red Hat build of Quarkus 1.3.4 SP1 Via RHSA-2020:3248 https://access.redhat.com/errata/RHSA-2020:3248 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14326 We are changing Camel-K to having a low impact, although Red Hat Integration Camel-K ships some RESTEasy components in the affected version range, they are not used as part of the Camel-K runtime, instead camel-platform-http is used for exposing REST routes This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918 |