The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. Resteasy versions >=3.0.7 are affected because they include the CORS Filter.
Acknowledgments: Name: Jason Shepherd (Red Hat Product Security)
RHMAP using RestEasy in UPS, but does not use CorsFilter class. Marking as not affected
Fixed upstream in Resteasy 4.0.0 via https://issues.jboss.org/browse/RESTEASY-1704
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Via RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0004
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Via RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0005
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:0478 https://access.redhat.com/errata/RHSA-2018:0478
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:0480 https://access.redhat.com/errata/RHSA-2018:0480
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0479 https://access.redhat.com/errata/RHSA-2018:0479
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:0481 https://access.redhat.com/errata/RHSA-2018:0481
JDG 7.3 includes resteasy-jaxrs-3.6.1.SP2-redhat-00001.jar and I have verified that this jar contains the fix already hence marking JDG 7 as "not affected".
RHSSO 7.3.5 ships : ./modules/system/layers/base/.overlays/layer-base-rh-sso-7.3.5.CP/org/jboss/resteasy/resteasy-jaxrs/main/resteasy-jaxrs-3.6.1.SP7-redhat-00001.jar which is not affected.