Bug 1372117 (CVE-2016-6345) - CVE-2016-6345 RESTEasy: Insufficient use of random values in RESTEasy async jobs could lead to loss of data confidentiality
Summary: CVE-2016-6345 RESTEasy: Insufficient use of random values in RESTEasy async j...
Status: NEW
Alias: CVE-2016-6345
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20160901,reported=2...
Keywords: Security
Depends On: 1372118 1471273 1480769 1471274
Blocks: 1371804 1372141 1372565 1372568 1372571
TreeView+ depends on / blocked
 
Reported: 2016-09-01 00:30 UTC by Jason Shepherd
Modified: 2019-04-22 21:31 UTC (History)
87 users (show)

(edit)
It was found that there was insufficient use of randam values in RESTEasy async jobs. An attacker could use this flaw to steal user data.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Jason Shepherd 2016-09-01 00:30:16 UTC
It was found that there was insufficient use of randam values in RESTEasy async jobs. An attacker could use this flaw to steal user data.

Comment 1 Jason Shepherd 2016-09-01 00:31:07 UTC
Acknowledgments:

Name: Mikhail Egorov (Odin)

Comment 2 Jason Shepherd 2016-09-01 00:32:26 UTC
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1372118]

Comment 4 Jason Shepherd 2016-09-01 04:48:07 UTC
Mitigation:

Don't enable Async Jobs Service as details in the section, "2.10. RESTEASY ASYNCHRONOUS JOB SERVICE" of JBoss EAP 7 Developing Web Services Applications documentation: https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/7.0/paged/developing-web-services-applications/chapter-2-developing-jax-rs-web-services

Comment 9 Kurt Seifried 2017-07-14 21:15:50 UTC
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1471273]

Comment 11 Kurt Seifried 2017-08-11 20:40:21 UTC
Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1480769]


Note You need to log in before you can comment on or make changes to this bug.