1378613 – (CVE-2016-7050) CVE-2016-7050 RESTEasy:SerializableProvider enabled by default and deserializes untrusted data

Bug 1378613 (CVE-2016-7050) - CVE-2016-7050 RESTEasy:SerializableProvider enabled by default and deserializes untrusted data

Summary: CVE-2016-7050 RESTEasy:SerializableProvider enabled by default and deserializ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2016-7050
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1378616 1378618 1378619
Blocks:	1371804
TreeView+	depends on / blocked

Reported:	2016-09-22 23:37 UTC by Jason Shepherd
Modified:	2021-02-17 03:17 UTC (History)
CC List:	30 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	It was discovered that under certain conditions RESTEasy could be forced to parse a request with SerializableProvider, resulting in deserialization of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy.
Clone Of:
Environment:
Last Closed:	2017-08-04 03:14:19 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2604	0	normal	SHIPPED_LIVE	Important: resteasy-base security and bug fix update	2016-11-03 12:13:14 UTC

Description Jason Shepherd 2016-09-22 23:37:27 UTC

Under certain conditions it's possible for an attacker to force the use of a SerializableProvider to parse a request in RESTEasy. An attacker can use this flaw to lauch a remote code execution attack.

Comment 1 Jason Shepherd 2016-09-22 23:37:39 UTC

Acknowledgments:

Name: Mikhail Egorov (Odin)

Comment 2 Jason Shepherd 2016-09-22 23:42:11 UTC

Created resteasy tracking bugs for this issue:

Affects: fedora-all [bug 1378616]

Comment 11 errata-xmlrpc 2016-11-03 21:23:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2604 https://rhn.redhat.com/errata/RHSA-2016-2604.html

Comment 13 Jason Shepherd 2016-11-18 01:24:06 UTC

Our initial analysis of JBoss Fuse 6 showed that it was using a vulnerable version of resteasy. However after further analysis we discovered that it's being used by the Fabic8, Support Webapp feature, which a Restful webservice client, so is not affected by this issue.

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alee
bbaranow
bmaxwell
cdewolf
chazlett
csutherl
dandread
darran.lofthouse
dkholia
dosoudil
fnasser
jason.greene
java-sig-commits
jawilson
jboss-set
jshepherd
kbost
lgao
mgoldman
myarboro
pavelp
pgier
psakar
pslavice
rnetuka
rsvoboda
twalsh
vtunka
weli