Bug 1935927 (CVE-2021-20289) - CVE-2021-20289 resteasy: Error message exposes endpoint class information
Summary: CVE-2021-20289 resteasy: Error message exposes endpoint class information
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20289
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1936941 1938279 1941544 1941545 1941546
Blocks: 1935929 1939063 1939790 2014197
TreeView+ depends on / blocked
 
Reported: 2021-03-05 19:59 UTC by Pedro Sampaio
Modified: 2022-09-09 07:12 UTC (History)
115 users (show)

Fixed In Version: resteasy 3.11.5.Final, resteasy 3.15.2.Final, resteasy 4.5.10.Final, resteasy 4.6.1.Final, resteasy 4.6.2.Final
Clone Of:
Environment:
Last Closed: 2021-09-30 12:21:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3700 0 None None None 2021-09-30 09:57:53 UTC
Red Hat Product Errata RHSA-2021:3880 0 None None None 2021-10-20 11:29:55 UTC
Red Hat Product Errata RHSA-2021:4100 0 None None None 2021-11-02 12:42:44 UTC
Red Hat Product Errata RHSA-2021:4676 0 None None None 2021-11-15 17:16:37 UTC
Red Hat Product Errata RHSA-2021:4677 0 None None None 2021-11-15 17:16:50 UTC
Red Hat Product Errata RHSA-2021:4679 0 None None None 2021-11-15 17:06:43 UTC
Red Hat Product Errata RHSA-2021:4767 0 None None None 2021-11-23 10:34:56 UTC
Red Hat Product Errata RHSA-2021:5149 0 None None None 2021-12-15 14:49:32 UTC
Red Hat Product Errata RHSA-2021:5150 0 None None None 2021-12-15 14:35:25 UTC
Red Hat Product Errata RHSA-2021:5151 0 None None None 2021-12-15 14:41:01 UTC
Red Hat Product Errata RHSA-2021:5154 0 None None None 2021-12-15 14:42:38 UTC
Red Hat Product Errata RHSA-2021:5170 0 None None None 2021-12-15 19:08:55 UTC
Red Hat Product Errata RHSA-2022:0146 0 None None None 2022-01-17 12:03:00 UTC
Red Hat Product Errata RHSA-2022:0151 0 None None None 2022-01-17 21:31:29 UTC
Red Hat Product Errata RHSA-2022:0152 0 None None None 2022-01-17 21:30:36 UTC
Red Hat Product Errata RHSA-2022:0155 0 None None None 2022-01-17 21:46:38 UTC
Red Hat Product Errata RHSA-2022:0164 0 None None None 2022-01-18 14:53:44 UTC
Red Hat Product Errata RHSA-2022:1179 0 None None None 2022-04-12 19:06:22 UTC
Red Hat Product Errata RHSA-2022:6407 0 None None None 2022-09-09 07:12:27 UTC

Description Pedro Sampaio 2021-03-05 19:59:45 UTC 
A flaw was found in resteasy. The endpoint class and method names are returned as part of the exception response when Resteasy can not convert one of the request URI path/query/matrix parameters to a value expected by a given class resource/method method parameter.

References:

https://issues.redhat.com/browse/RESTEASY-2843
Comment 8 Alexander Scheel 2021-03-16 23:20:09 UTC 
JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will be fixed in the upcoming release 4.7.0.Final.
Comment 9 Ted Jongseok Won 2021-03-17 04:50:03 UTC 
In reply to comment #8:
> JFTR it doesn't look (from RESTEASY-2843) or the upstream repo that this CVE
> is fixed in 4.6.0.Final as mentioned in the Doc Text. It looks like it will
> be fixed in the upcoming release 4.7.0.Final.

Thank you for pointing out it. We've fixed it. Thanks!
Comment 10 Ted Jongseok Won 2021-03-22 04:09:51 UTC 
Acknowledgments:

Name: Dirk Papenberg (NTT DATA Germany)
Comment 11 Riccardo Schirone 2021-03-22 10:53:03 UTC 
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1941544]
Comment 26 Ted Jongseok Won 2021-07-21 05:46:09 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Data Grid 7
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss BPMS 6
 * Red Hat JBoss BRMS 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 29 errata-xmlrpc 2021-09-30 09:57:48 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ 7.9.0

Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
Comment 30 Product Security DevOps Team 2021-09-30 12:21:10 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20289
Comment 32 errata-xmlrpc 2021-10-20 11:29:50 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.3

Via RHSA-2021:3880 https://access.redhat.com/errata/RHSA-2021:3880
Comment 33 errata-xmlrpc 2021-11-02 12:42:38 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.0.2 GA

Via RHSA-2021:4100 https://access.redhat.com/errata/RHSA-2021:4100
Comment 35 errata-xmlrpc 2021-11-15 17:06:38 UTC 
This issue has been addressed in the following products:

  EAP 7.4.2 release

Via RHSA-2021:4679 https://access.redhat.com/errata/RHSA-2021:4679
Comment 36 errata-xmlrpc 2021-11-15 17:16:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2021:4676 https://access.redhat.com/errata/RHSA-2021:4676
Comment 37 errata-xmlrpc 2021-11-15 17:16:46 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2021:4677 https://access.redhat.com/errata/RHSA-2021:4677
Comment 38 errata-xmlrpc 2021-11-23 10:34:53 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
Comment 39 errata-xmlrpc 2021-12-15 14:35:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:5150 https://access.redhat.com/errata/RHSA-2021:5150
Comment 40 errata-xmlrpc 2021-12-15 14:40:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:5151 https://access.redhat.com/errata/RHSA-2021:5151
Comment 41 errata-xmlrpc 2021-12-15 14:42:34 UTC 
This issue has been addressed in the following products:

  EAP 7.3.10 GA

Via RHSA-2021:5154 https://access.redhat.com/errata/RHSA-2021:5154
Comment 42 errata-xmlrpc 2021-12-15 14:49:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:5149 https://access.redhat.com/errata/RHSA-2021:5149
Comment 43 errata-xmlrpc 2021-12-15 19:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.10

Via RHSA-2021:5170 https://access.redhat.com/errata/RHSA-2021:5170
Comment 44 errata-xmlrpc 2022-01-17 12:02:54 UTC 
This issue has been addressed in the following products:

  Red Hat EAP-XP 2 via EAP 7.3.x base

Via RHSA-2022:0146 https://access.redhat.com/errata/RHSA-2022:0146
Comment 45 errata-xmlrpc 2022-01-17 21:30:31 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:0152 https://access.redhat.com/errata/RHSA-2022:0152
Comment 46 errata-xmlrpc 2022-01-17 21:31:23 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:0151 https://access.redhat.com/errata/RHSA-2022:0151
Comment 47 errata-xmlrpc 2022-01-17 21:46:33 UTC 
This issue has been addressed in the following products:

  RHSSO 7.5.1

Via RHSA-2022:0155 https://access.redhat.com/errata/RHSA-2022:0155
Comment 48 errata-xmlrpc 2022-01-18 14:53:39 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0164 https://access.redhat.com/errata/RHSA-2022:0164
Comment 49 errata-xmlrpc 2022-04-12 19:06:17 UTC 
This issue has been addressed in the following products:

  Red Hat Support for Spring Boot 2.5.10

Via RHSA-2022:1179 https://access.redhat.com/errata/RHSA-2022:1179
Comment 50 errata-xmlrpc 2022-09-09 07:12:22 UTC 
This issue has been addressed in the following products:

  RHAF Camel-K 1.8

Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
Note You need to log in before you can comment on or make changes to this bug.