Bug 1855826 (CVE-2020-14326)

Summary: CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, alee, asoldano, atangrin, avibelli, bbaranow, bgeorges, bibryam, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dkreling, dosoudil, drieden, ganandan, ggaughan, gmalinko, gsmet, iweiss, janstey, jawilson, jbalunas, jboss-set, jnethert, jochrist, jpallich, jperkins, jwon, krathod, kwills, lgao, lthon, msochure, msvehla, mszynkie, nwallace, pantinor, pgallagh, pjindal, pmackay, psotirop, rguimara, rhcs-maint, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, smaestri, tom.jenkinson, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: resteasy 4.5.6.Final Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-30 19:27:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1855263    

Description Michael Kaplan 2020-07-10 15:40:34 UTC 
The api calls are successfully routed by RestEasy, while this cache grows
unbounded. Due to keys having the same hash code, each subsequent request
gets slower as more cpu time is spent searching and adding the entry. A
simple load generator could exploit this to make the endpoint unresponsive.

The media type itself is cached by MediaTypeHeaderDelegate, which protects
itself by using a fixed size cache (default of 200) that is cleared when
growing beyond the threshold. Since the RootNode cache is unbounded and not
accessible, it is subject to this exploit.

References:

https://issues.redhat.com/browse/RESTEASY-2643
Comment 4 Ted Jongseok Won 2020-07-13 08:57:32 UTC 
Acknowledgments:

Name: Ben Manes (Vector)
Comment 13 RaTasha Tillery-Smith 2020-07-22 19:08:14 UTC 
Red Hat Enterprise Linux 7 and 8 do not ship versions of RESTEasy that are affected by this flaw, as the vulnerable code was introduced in newer versions.
Comment 14 errata-xmlrpc 2020-07-30 13:36:00 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 1.3.4 SP1

Via RHSA-2020:3248 https://access.redhat.com/errata/RHSA-2020:3248
Comment 15 Product Security DevOps Team 2020-07-30 19:27:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14326
Comment 16 Jonathan Christison 2020-08-06 16:53:43 UTC 
We are changing Camel-K to having a low impact, although Red Hat Integration Camel-K ships some RESTEasy components in the affected version range, they are not used as part of the Camel-K runtime, instead camel-platform-http is used for exposing REST routes
Comment 18 errata-xmlrpc 2020-12-16 12:14:48 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
Comment 20 errata-xmlrpc 2021-11-23 10:34:31 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
Comment 21 errata-xmlrpc 2021-12-02 16:17:43 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918