Red Hat Bugzilla – Bug 1400644
CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE
Last modified: 2018-10-19 17:38:46 EDT
It was found that SnakeYAML unmarshalling is exploitable for code execution. As RESTeasy enables the yaml provider by default, therefore this is exploitable for JAX-RS applications specifiying either a yaml content type @Consumes or one without type specifiction.
Acknowledgments: Name: Moritz Bechler (AgNO3 GmbH & Co. KG)
For Resteasy, it's a requirement that the @Consumes() annotation doesn't define a mime type, or defines a multipart mime type. Explicitly defining 'text/x-yaml', would also make that endpoint vulnerable. If the @Consumes annotation explicitly defines a 'application/json', or 'application/xml' it is not vulnerable.
Resteasy versions from 3.0-beta-1 up to and including 3.1.0.CR3 are potentially affected. Resteasy versions from 2.2.0.GA in the 2.x range are also potentially affected.
EAP 7.0 is not affected because a bug in Resteasy which prevents the loading of YamlProvider in that version. The YamlProvider is unsupported: https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/paged/700-release-notes/chapter-3-unsupported-and-deprecated-functionality However we do plan to fix this issue in EAP 7.1
Mitigation: Add authentication and authorization to any Resteasy endpoint which doesn't define a mime type, or defines a multipart mime type.
Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1404912]
Upstream tracker can be found here: https://issues.jboss.org/browse/RESTEASY-1618
Please note that the previous CVE (CVE-2016-9571) was rejected in favor of the newly assigned CVE-2016-9606. This was because the CVE-2016-9571 ID was mistakenly double-assigned by MITRE to a Camel issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9571
Statement: YamlProvider was removed the default list of providers to prevent a malicous user from requesting a payload be marshalled with Yaml. If marshalling of Yaml content is desired, add, or append a file with the name 'META-INF/services/javax.ws.rs.ext.Providers' to your WAR, or JAR with the contents 'org.jboss.resteasy.plugins.providers.YamlProvider' If YamlProvider is re-added to the default list of providers it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerablilty.
(In reply to Jason Shepherd from comment #15) > Upstream tracker can be found here: > https://issues.jboss.org/browse/RESTEASY-1618 According to the information in the still non-public RESTEASY-1618, this was fixed in resteasy 3.0.22 and 3.1.2. The following upstream commit references RESTEASY-1618: https://github.com/resteasy/Resteasy/commit/bccadffa2df8ecaff6616df18d2f3b1210866b99 It seems to disable Yaml provider. There is no mention of the change in the announcement blog post or upstream release notes: https://developer.jboss.org/en/resteasy/blog/2017/03/31/resteasy-312final-and-3022final-are-out https://issues.jboss.org/secure/ReleaseNote.jspa?version=12333793&styleName=Text&projectId=12310560&Create=Create https://issues.jboss.org/secure/ReleaseNote.jspa?version=12333792&styleName=Text&projectId=12310560&Create=Create
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1254 https://access.redhat.com/errata/RHSA-2017:1254
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:1253 https://access.redhat.com/errata/RHSA-2017:1253
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:1256 https://access.redhat.com/errata/RHSA-2017:1256
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.15 Via RHSA-2017:1255 https://access.redhat.com/errata/RHSA-2017:1255
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1260 https://access.redhat.com/errata/RHSA-2017:1260
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0.6 Via RHSA-2017:1409 https://rhn.redhat.com/errata/RHSA-2017-1409.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2017:1411 https://access.redhat.com/errata/RHSA-2017:1411
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:1410 https://access.redhat.com/errata/RHSA-2017:1410
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2017:1412 https://access.redhat.com/errata/RHSA-2017:1412
This issue has been addressed in the following products: Red Hat JBoss BRMS Via RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1676
This issue has been addressed in the following products: Red Hat JBoss BPM Suite Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2018:2909 https://access.redhat.com/errata/RHSA-2018:2909
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2018:2913 https://access.redhat.com/errata/RHSA-2018:2913