CVE-2018-1051
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-1051 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
This issue only affects applications which have the YamlProvider explicitly enabled by adding or appending a file with the name 'META-INF/services/javax.ws.rs.ext.Providers' to your WAR, or JAR with the contents 'org.jboss.resteasy.plugins.providers.YamlProvider'
resteasy-base as shipped in Red Hat Enterprise Linux 7 does not include YamlProvider.
Red Hat Subscription Asset Manager version 1 is now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates.
This issue affects the versions of resteasy as shipped with Red Hat Satellite version 6, however Satellite version 6 does not use the affected functionality. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue.
For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 8.1 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | eap7-resteasy-yaml-provider | Will not fix |
| Red Hat Subscription Asset Manager 1 | resteasy | Will not fix |
| Red Hat Single Sign-On 7 | resteasy | Under investigation |
| Red Hat Satellite 6 | resteasy | Will not fix |
| Red Hat Mobile Application Platform On-Premise 4 | millicore | Not affected |
| Red Hat JBoss Portal Platform 6 | resteasy | Under investigation |
| Red Hat JBoss Operations Network 3 | resteasy | Not affected |
| Red Hat JBoss Fuse Service Works 6 | resteasy | Under investigation |
| Red Hat JBoss Fuse 6 | resteasy | Not affected |
| Red Hat JBoss Enterprise SOA Platform 5 | resteasy | Under investigation |
| Red Hat JBoss EAP 7 | resteasy | Will not fix |
| Red Hat JBoss EAP 6 | resteasy | Will not fix |
| Red Hat JBoss EAP 5 | resteasy | Will not fix |
| Red Hat JBoss Data Virtualization 6 | resteasy | Under investigation |
| Red Hat JBoss Data Grid 6 | resteasy | Under investigation |
| Red Hat JBoss BRMS 6 | resteasy | Not affected |
| Red Hat JBoss BPMS 6 | resteasy | Not affected |
| Red Hat Enterprise Linux 7 | resteasy-base | Not affected |
Acknowledgements
Red Hat would like to thank Rui Chong (Baidu) for reporting this issue.Mitigation
If the YamlProvider is enabled it's recommended to add authentication, and authorization to the endpoint expecting Yaml content to prevent exploitation of this vulnerability.
CVE description copyright © 2017, The MITRE Corporation
