CVE-2016-6346

Impact:
Moderate
Public Date:
2016-09-01
Bugzilla:
1372120: CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack
It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack.

Find out more about CVE-2016-6346 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue was fixed in EAP 7.1.0, but was not fixed in 7.0.7
On Red Hat Satellite 6.5 this issue is fixed through the candlepin package update (candlepin 2.5.8), which contains a non-vulnerable version of RESTEasy.

CVSS v2 metrics

Base Score 5
Base Metrics AV:N/AC:L/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2018:0004 2018-01-03
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (resteasy) RHSA-2017:0826 2017-03-22
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2018:0002 2018-01-03
Red Hat JBoss EAP 7 RHSA-2018:0003 2018-01-03
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2018:0005 2018-01-03
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2018:0005 2018-01-03
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2017:0517 2017-03-14
Red Hat JBoss BRMS 6.4 RHSA-2017:1676 2017-07-04
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2017:0829 2017-03-22
Red Hat JBoss BPMS 6.4 RHSA-2017:1675 2017-07-04
Red Hat JBoss BRMS 7.0 RHSA-2018:2143 2018-07-05
Red Hat Satellite 6.5 for RHEL 7 (katello) RHSA-2019:1222 2019-05-14
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (resteasy) RHSA-2017:0828 2017-03-22
Red Hat Satellite 6.5 for RHEL 7 (katello) RHSA-2019:1222 2019-05-14
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (resteasy) RHSA-2017:0827 2017-03-22

Affected Packages State

Platform Package State
Red Hat Subscription Asset Manager 1 katello Will not fix
Red Hat Single Sign-On 7 Core Not affected
Red Hat Satellite 6 Security Will not fix
Red Hat OpenShift Application Runtimes 1.0 swarm Not affected
Red Hat JBoss Portal Platform 6 Requirements Not affected
Red Hat JBoss Operations Network 3 REST Will not fix
Red Hat JBoss Fuse Service Works 6 RESTEasy Will not fix
Red Hat JBoss Fuse 6 SwitchYard Will not fix
Red Hat JBoss Enterprise SOA Platform 5 Security Will not fix
Red Hat JBoss EAP 5 jbossas Will not fix
Red Hat JBoss Data Virtualization 6 RESTEasy Not affected
Red Hat JBoss Data Grid 7 resteasy Will not fix
Red Hat JBoss Data Grid 6 Build Not affected
Red Hat JBoss BRMS 5 Security Will not fix
RHEV Manager 3 vdsm-jsonrpc-java Will not fix
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Acknowledgements

Red Hat would like to thank Mikhail Egorov (Odin) for reporting this issue.
Last Modified