{ "threat_severity" : "Moderate", "public_date" : "2018-01-18T00:00:00Z", "bugzilla" : { "description" : "resteasy: Unsafe unmarshalling in YamlProvider allows code execution", "id" : "1535411", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1535411" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-20", "details" : [ "It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via `Yaml.load()` in YamlProvider." ], "statement" : "This issue only affects applications which have the YamlProvider explicitly enabled by adding or appending a file with the name 'META-INF/services/javax.ws.rs.ext.Providers' to your WAR, or JAR with the contents 'org.jboss.resteasy.plugins.providers.YamlProvider'\nresteasy-base as shipped in Red Hat Enterprise Linux 7 does not include YamlProvider.\nRed Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates.\nThis issue affects the versions of resteasy as shipped with Red Hat Satellite version 6, however Satellite version 6 does not use the affected functionality. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue.\nFor additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "acknowledgement" : "Red Hat would like to thank Rui Chong (Baidu) for reporting this issue.", "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Not affected", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "resteasy-base", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "resteasy", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Not affected", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Out of support scope", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Not affected", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Out of support scope", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Out of support scope", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat Mobile Application Platform 4", "fix_state" : "Not affected", "package_name" : "millicore", "cpe" : "cpe:/a:redhat:mobile_application_platform:4" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Subscription Asset Manager", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:rhel_sam:1" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Will not fix", "package_name" : "eap7-resteasy-yaml-provider", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1051\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1051" ], "name" : "CVE-2018-1051", "mitigation" : { "value" : "If the YamlProvider is enabled it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerability.", "lang" : "en:us" }, "csaw" : false }