Bug 1855826 (CVE-2020-14326) - CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
Summary: CVE-2020-14326 RESTEasy: Caching routes in RootNode may result in DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14326
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1855263
TreeView+ depends on / blocked
 
Reported: 2020-07-10 15:40 UTC by Michael Kaplan
Modified: 2021-12-02 16:17 UTC (History)
56 users (show)

Fixed In Version: resteasy 4.5.6.Final
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in RESTEasy, where RootNode incorrectly caches routes. This issue results in hash flooding, leading to slower requests with higher CPU time spent searching and adding the entry. This flaw allows an attacker to cause a denial of service.
Clone Of:
Environment:
Last Closed: 2020-07-30 19:27:43 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3248 0 None None None 2020-07-30 13:36:03 UTC
Red Hat Product Errata RHSA-2020:5568 0 None None None 2020-12-16 12:14:58 UTC
Red Hat Product Errata RHSA-2021:4767 0 None None None 2021-11-23 10:34:33 UTC
Red Hat Product Errata RHSA-2021:4918 0 None None None 2021-12-02 16:17:46 UTC

Description Michael Kaplan 2020-07-10 15:40:34 UTC 
The api calls are successfully routed by RestEasy, while this cache grows
unbounded. Due to keys having the same hash code, each subsequent request
gets slower as more cpu time is spent searching and adding the entry. A
simple load generator could exploit this to make the endpoint unresponsive.

The media type itself is cached by MediaTypeHeaderDelegate, which protects
itself by using a fixed size cache (default of 200) that is cleared when
growing beyond the threshold. Since the RootNode cache is unbounded and not
accessible, it is subject to this exploit.

References:

https://issues.redhat.com/browse/RESTEASY-2643
Comment 4 Ted Jongseok Won 2020-07-13 08:57:32 UTC 
Acknowledgments:

Name: Ben Manes (Vector)
Comment 13 RaTasha Tillery-Smith 2020-07-22 19:08:14 UTC 
Red Hat Enterprise Linux 7 and 8 do not ship versions of RESTEasy that are affected by this flaw, as the vulnerable code was introduced in newer versions.
Comment 14 errata-xmlrpc 2020-07-30 13:36:00 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 1.3.4 SP1

Via RHSA-2020:3248 https://access.redhat.com/errata/RHSA-2020:3248
Comment 15 Product Security DevOps Team 2020-07-30 19:27:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14326
Comment 16 Jonathan Christison 2020-08-06 16:53:43 UTC 
We are changing Camel-K to having a low impact, although Red Hat Integration Camel-K ships some RESTEasy components in the affected version range, they are not used as part of the Camel-K runtime, instead camel-platform-http is used for exposing REST routes
Comment 18 errata-xmlrpc 2020-12-16 12:14:48 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568
Comment 20 errata-xmlrpc 2021-11-23 10:34:31 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
Comment 21 errata-xmlrpc 2021-12-02 16:17:43 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918
Note You need to log in before you can comment on or make changes to this bug.