CVE-2016-9606
Find out more about CVE-2016-9606 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
YamlProvider was removed the default list of providers to prevent a malicous user from requesting a payload be marshalled with Yaml. If marshalling of Yaml content is desired, add, or append a file with the name 'META-INF/services/javax.ws.rs.ext.Providers' to your WAR, or JAR with the contents 'org.jboss.resteasy.plugins.providers.YamlProvider'
If YamlProvider is re-added to the default list of providers it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerablilty.
CVSS v2 metrics
| Base Score | 6.8 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
CVSS v3 metrics
| CVSS3 Base Score | 8.1 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss BRMS 7.1 | RHSA-2018:2913 | 2018-10-11 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) | RHSA-2017:1412 | 2017-06-07 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (resteasy) | RHSA-2017:1253 | 2017-05-18 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server | RHSA-2017:1411 | 2017-06-07 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (resteasy) | RHSA-2017:1256 | 2017-05-18 |
| Red Hat JBoss BPMS 7.1 | RHSA-2018:2909 | 2018-10-11 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) | RHSA-2017:1412 | 2017-06-07 |
| Red Hat JBoss BRMS 6.4 | RHSA-2017:1676 | 2017-07-04 |
| Red Hat JBoss BPMS 6.4 | RHSA-2017:1675 | 2017-07-04 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) | RHSA-2017:1260 | 2017-05-18 |
| Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server | RHSA-2017:1410 | 2017-06-07 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2017:1255 | 2017-05-18 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (resteasy) | RHSA-2017:1254 | 2017-05-18 |
| Red Hat JBoss EAP 7 | RHSA-2017:1409 | 2017-06-07 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Single Sign-On 7.0 | resteasy | Not affected |
| Red Hat Mobile Application Platform On-Premise 4 | millicore | Not affected |
| Red Hat JBoss Portal Platform 6.2.x | resteasy | Not affected |
| Red Hat JBoss Operations Network 3 | resteasy | Not affected |
| Red Hat JBoss Fuse 6 | resteasy | Not affected |
| Red Hat Enterprise Linux 7 | resteasy-base | Not affected |
Acknowledgements
Red Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting this issue.Mitigation
Add authentication and authorization to any Resteasy endpoint which doesn't define a mime type, or defines a multipart mime type.