Bug 2251155 (CVE-2023-6267)

Summary: CVE-2023-6267 quarkus: json payload getting processed prior to security checks when rest resources are used with annotations.
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adupliak, aileenc, anstephe, avibelli, bgeorges, chazlett, clement.escoffier, cmiranda, dandread, dkreling, fmongiar, gmalinko, gsmet, janstey, jmartisk, jnethert, lthon, marcel, max.andersen, mnovotny, mosmerov, olubyans, pcongius, pdelbell, peholase, pgallagh, pjindal, probinso, rguimara, rruss, rsvoboda, saroy, sausingh, sbiarozk, sdouglas, security-response-team, tqvarnst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the json payload. If annotation based security is used to secure a REST resource, the JSON body that the resource may consume is being processed (deserialized) prior to the security constraints being evaluated and applied. This does not happen with configuration based security.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2251153    

Description Rohit Keshri 2023-11-23 06:34:38 UTC 
If annotation based security is used to secure a REST resource, the JSON body the resource may consume is being processed (deserialized) prior to the security constraints being evaluated/applied.

This does not happen with configuration based security. Then security constraints are being evaluated/applied before a JSON body is being processed.
Comment 5 errata-xmlrpc 2024-01-25 13:51:56 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9.SP1

Via RHSA-2024:0494 https://access.redhat.com/errata/RHSA-2024:0494
Comment 6 errata-xmlrpc 2024-01-25 13:52:17 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.9.SP1

Via RHSA-2024:0495 https://access.redhat.com/errata/RHSA-2024:0495
Comment 8 marcel 2024-02-06 07:21:01 UTC 
It would be helpful if you could state in your documentation that this "3.2.9.SP1" version actually corresponds to 3.2.9.Final-redhat-00004 in the Maven repository. It was a guessing game. The https://access.redhat.com/documentation/en-us/red_hat_build_of_quarkus/quarkus-3.2/guide/1fb66449-7cb8-4328-8bb6-f11921699056 guide was updated on January 25th (the same day as this entry) mentioning that version.
Comment 9 marcel 2024-02-06 07:24:05 UTC 
Also, the 'lastUpdated' timestamp in https://maven.repository.redhat.com/ga/com/redhat/quarkus/platform/quarkus-bom/maven-metadata.xml confirmed this. It's January 25th as well.
Comment 11 anniesteuber 2024-03-14 06:41:01 UTC Comment hidden (spam)