CVE-2016-9606

Impact:
Moderate
Public Date:
2016-12-15
CWE:
CWE-20
Bugzilla:
1400644: CVE-2016-9606 Resteasy: Yaml unmarshalling vulnerable to RCE
It was discovered that under certain conditions RESTEasy could be forced to parse a request with YamlProvider, resulting in unmarshalling of potentially untrusted data. An attacker could possibly use this flaw execute arbitrary code with the permissions of the application using RESTEasy.

Find out more about CVE-2016-9606 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

YamlProvider was removed the default list of providers to prevent a malicous user from requesting a payload be marshalled with Yaml. If marshalling of Yaml content is desired, add, or append a file with the name 'META-INF/services/javax.ws.rs.ext.Providers' to your WAR, or JAR with the contents 'org.jboss.resteasy.plugins.providers.YamlProvider'

If YamlProvider is re-added to the default list of providers it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerablilty.

CVSS v2 metrics

Base Score 6.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

CVSS v3 metrics

CVSS3 Base Score 8.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss BRMS 7.1 RHSA-2018:2913 2018-10-11
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jboss-ec2-eap) RHSA-2017:1412 2017-06-07
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (resteasy) RHSA-2017:1253 2017-05-18
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server RHSA-2017:1411 2017-06-07
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (resteasy) RHSA-2017:1256 2017-05-18
Red Hat JBoss BPMS 7.1 RHSA-2018:2909 2018-10-11
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jboss-ec2-eap) RHSA-2017:1412 2017-06-07
Red Hat JBoss BRMS 6.4 RHSA-2017:1676 2017-07-04
Red Hat JBoss BPMS 6.4 RHSA-2017:1675 2017-07-04
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2017:1260 2017-05-18
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server RHSA-2017:1410 2017-06-07
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2017:1255 2017-05-18
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (resteasy) RHSA-2017:1254 2017-05-18
Red Hat JBoss EAP 7 RHSA-2017:1409 2017-06-07

Affected Packages State

Platform Package State
Red Hat Single Sign-On 7.0 resteasy Not affected
Red Hat Mobile Application Platform On-Premise 4 millicore Not affected
Red Hat JBoss Portal Platform 6.2.x resteasy Not affected
Red Hat JBoss Operations Network 3 resteasy Not affected
Red Hat JBoss Fuse 6 resteasy Not affected
Red Hat Enterprise Linux 7 resteasy-base Not affected

Acknowledgements

Red Hat would like to thank Moritz Bechler (AgNO3 GmbH & Co. KG) for reporting this issue.

Mitigation

Add authentication and authorization to any Resteasy endpoint which doesn't define a mime type, or defines a multipart mime type.

Last Modified