2265158 – (CVE-2024-1726) CVE-2024-1726 quarkus: security checks for some inherited endpoints performed after serialization in RESTEasy Reactive may trigger a denial of service

Bug 2265158 (CVE-2024-1726) - CVE-2024-1726 quarkus: security checks for some inherited endpoints performed after serialization in RESTEasy Reactive may trigger a denial of service

Summary: CVE-2024-1726 quarkus: security checks for some inherited endpoints performed...

Keywords:
Status:	NEW
Alias:	CVE-2024-1726
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2265150
TreeView+	depends on / blocked

Reported:	2024-02-20 18:09 UTC by Robb Gatica
Modified:	2024-05-15 07:49 UTC (History)
CC List:	22 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any POST, PUT, or PATCH request paths, they can potentially identify vulnerable endpoints and trigger excessive resource usage as the endpoints process the requests. This can result in a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:1662	0	None	None	None	2024-04-03 10:53:28 UTC

Description Robb Gatica 2024-02-20 18:09:22 UTC

Description:
Security checks for standard security annotations on the RESTEasy Reactive inherited endpoints are not performed eagerly, but are performed by standard security interceptors instead. Apart from functional differences it also means security checks for inherited endpoints are not performed eagerly.

As long as you know any POST / PUT / PATCH request paths, you can send unauthenticated HTTP requests with illegal payload and see response status. When you get 500 ... this way you detect endpoints (though there can be other reasons...) Can you significantly raise processing time? You can send valid content which means requests will be stopped after JAX-RS filters. Resulting impact depends on what they do in JAX-RS filters.

Affected Quarkus version: 
999-SNAPSHOT, 3.8.x. 3.7.x, 3.2.x, 2.13.x

Mitigations with affected version: 
Don't use inherited endpoints (or use HTTP permissions, depending on the scenario)

References:
https://github.com/quarkusio/quarkus/pull/38832
https://github.com/quarkusio/quarkus/issues/38754

Comment 3 errata-xmlrpc 2024-04-03 10:53:26 UTC

This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.11

Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662

Note You need to log in before you can comment on or make changes to this bug.

anstephe
avibelli
bgeorges
chazlett
clement.escoffier
dandread
dkreling
gsmet
jmartisk
lthon
max.andersen
mosmerov
olubyans
pgallagh
pjindal
probinso
rruss
rsvoboda
sausingh
sbiarozk
sdouglas
tqvarnst