Bug 2265158 (CVE-2024-1726)

Summary: CVE-2024-1726 quarkus: security checks for some inherited endpoints performed after serialization in RESTEasy Reactive may trigger a denial of service
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anstephe, avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, gsmet, jmartisk, lthon, max.andersen, mosmerov, olubyans, pgallagh, pjindal, probinso, rruss, rsvoboda, sausingh, sbiarozk, tqvarnst
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any POST, PUT, or PATCH request paths, they can potentially identify vulnerable endpoints and trigger excessive resource usage as the endpoints process the requests. This can result in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2265150    

Description Robb Gatica 2024-02-20 18:09:22 UTC 
Description:
Security checks for standard security annotations on the RESTEasy Reactive inherited endpoints are not performed eagerly, but are performed by standard security interceptors instead. Apart from functional differences it also means security checks for inherited endpoints are not performed eagerly.

As long as you know any POST / PUT / PATCH request paths, you can send unauthenticated HTTP requests with illegal payload and see response status. When you get 500 ... this way you detect endpoints (though there can be other reasons...) Can you significantly raise processing time? You can send valid content which means requests will be stopped after JAX-RS filters. Resulting impact depends on what they do in JAX-RS filters.

Affected Quarkus version: 
999-SNAPSHOT, 3.8.x. 3.7.x, 3.2.x, 2.13.x

Mitigations with affected version: 
Don't use inherited endpoints (or use HTTP permissions, depending on the scenario)

References:
https://github.com/quarkusio/quarkus/pull/38832
https://github.com/quarkusio/quarkus/issues/38754
Comment 3 errata-xmlrpc 2024-04-03 10:53:26 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.11

Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662