It was discovered that under certain conditions RESTEasy could be forced to parse a request with SerializableProvider, resulting in deserialization of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy.
Under certain conditions it's possible for an attacker to force the use of a SerializableProvider to parse a request in RESTEasy. An attacker can use this flaw to lauch a remote code execution attack.
Name: Mikhail Egorov (Odin)
Created resteasy tracking bugs for this issue:
Affects: fedora-all [bug 1378616]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2016:2604 https://rhn.redhat.com/errata/RHSA-2016-2604.html
Our initial analysis of JBoss Fuse 6 showed that it was using a vulnerable version of resteasy. However after further analysis we discovered that it's being used by the Fabic8, Support Webapp feature, which a Restful webservice client, so is not affected by this issue.