[Bug 1372120] New: CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Bug ID: 1372120 Summary: CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: jshepherd@redhat.com CC: aileenc@redhat.com, alazarot@redhat.com, alee@redhat.com, aszczucz@redhat.com, bazulay@redhat.com, bbaranow@redhat.com, bdawidow@redhat.com, bkearney@redhat.com, bmaxwell@redhat.com, bmcclain@redhat.com, cbillett@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, csutherl@redhat.com, dandread@redhat.com, darran.lofthouse@redhat.com, dblechte@redhat.com, dosoudil@redhat.com, eedri@redhat.com, epp-bugs@redhat.com, etirelli@redhat.com, felias@redhat.com, fnasser@redhat.com, gklein@redhat.com, gvarsami@redhat.com, hchiorea@redhat.com, hfnukal@redhat.com, huwang@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jboss-set@redhat.com, jbpapp-maint@redhat.com, jcoleman@redhat.com, jdg-bugs@redhat.com, jmatthew@redhat.com, jolee@redhat.com, jpallich@redhat.com, jshepherd@redhat.com, katello-bugs@redhat.com, kconner@redhat.com, kseifried@redhat.com, kverlaen@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, lpetrovi@redhat.com, lsurette@redhat.com, mbaluch@redhat.com, mgoldboi@redhat.com, mgoldman@redhat.com, miburman@redhat.com, michal.skrivanek@redhat.com, mmccune@redhat.com, mweiler@redhat.com, mwinkler@redhat.com, myarboro@redhat.com, nwallace@redhat.com, ohadlevy@redhat.com, oourfali@redhat.com, pavelp@redhat.com, pgier@redhat.com, pkliczew@redhat.com, psakar@redhat.com, pslavice@redhat.com, puntogil@libero.it, rcernich@redhat.com, Rhev-m-bugs@redhat.com, rnetuka@redhat.com, rrajasek@redhat.com, rsvoboda@redhat.com, rwagner@redhat.com, rzhang@redhat.com, satellite6-bugs@redhat.com, sherold@redhat.com, soa-p-jira@post-office.corp.redhat.com, spinder@redhat.com, tcunning@redhat.com, theute@redhat.com, tjay@redhat.com, tkirby@redhat.com, tlestach@redhat.com, tomckay@redhat.com, tsanders@redhat.com, ttarrant@redhat.com, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com, weli@redhat.com, ydary@redhat.com, ykaul@redhat.com
It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #1 from Jason Shepherd jshepherd@redhat.com --- Acknowledgments:
Name: Mikhail Egorov (Odin)
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1371804
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1372122
--- Comment #2 from Jason Shepherd jshepherd@redhat.com ---
Created resteasy tracking bugs for this issue:
Affects: fedora-all [bug 1372122]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1372122 [Bug 1372122] CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1372141
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Doc Text *updated* by Jason Shepherd jshepherd@redhat.com --- It was found that GZIPInterceptor is enabled when not necessarily required in RESTEasy. An attacker could use this flaw to launch a Denial of Service attack.
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=new,eap-5/jbossas=w |ESTEasy=affected,eap-5/jbos |ontfix,bpms-6/Build and |sas=wontfix,bpms-6/Build |Assembly=new,brms-6/Build |and |and |Assembly=new,brms-6/Build |Assembly=new,jdg-6/Build=ne |and |w,jdv-6/Productization=new, |Assembly=new,jdg-6/Build=ne |brms-5/Security=wontfix,soa |w,jdv-6/Productization=new, |p-5/Security=wontfix,fsw-6/ |brms-5/Security=wontfix,soa |SwitchYard=new,fuse-6/Switc |p-5/Security=wontfix,fsw-6/ |hYard=new,jon-3/REST=new,jp |SwitchYard=new,fuse-6/Switc |p-6/Requirements=new,rhsso- |hYard=new,jon-3/REST=new,jp |7/Core=new,rhev-m-3/vdsm-js |p-6/Requirements=new,rhsso- |onrpc-java=new,rhn_satellit |7/Core=new,rhev-m-3/vdsm-js |e_6/Security=new,sam-1/kate |onrpc-java=new,rhn_satellit |llo=new |e_6/Security=new,sam-1/kate | |llo=new
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1372565
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1372568
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1372571
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/Build |sas=wontfix,bpms-6/Build |and |and |Assembly=new,brms-6/Build |Assembly=new,brms-6/Build |and |and |Assembly=new,jdg-6/Build=ne |Assembly=new,jdg-6/Build=ne |w,jdv-6/Productization=new, |w,jdv-6/Productization=new, |brms-5/Security=wontfix,soa |brms-5/Security=wontfix,soa |p-5/Security=wontfix,fsw-6/ |p-5/Security=wontfix,fsw-6/ |SwitchYard=new,fuse-6/Switc |SwitchYard=new,fuse-6/Switc |hYard=new,jon-3/REST=new,jp |hYard=new,jon-3/REST=wontfi |p-6/Requirements=new,rhsso- |x,jpp-6/Requirements=new,rh |7/Core=new,rhev-m-3/vdsm-js |sso-7/Core=new,rhev-m-3/vds |onrpc-java=new,rhn_satellit |m-jsonrpc-java=new,rhn_sate |e_6/Security=new,sam-1/kate |llite_6/Security=new,sam-1/ |llo=new |katello=new
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1372592 Depends On| |1372593
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/Build |sas=wontfix,bpms-6/RESTEasy |and |=affected,brms-6/RESTEasy=a |Assembly=new,brms-6/Build |ffected,jdg-6/Build=new,jdv |and |-6/RESTEasy=affected,brms-5 |Assembly=new,jdg-6/Build=ne |/Security=wontfix,soap-5/Se |w,jdv-6/Productization=new, |curity=wontfix,fsw-6/RESTEa |brms-5/Security=wontfix,soa |sy=affected,fuse-6/SwitchYa |p-5/Security=wontfix,fsw-6/ |rd=new,jon-3/REST=wontfix,j |SwitchYard=new,fuse-6/Switc |pp-6/Requirements=new,rhsso |hYard=new,jon-3/REST=wontfi |-7/Core=new,rhev-m-3/vdsm-j |x,jpp-6/Requirements=new,rh |sonrpc-java=new,rhn_satelli |sso-7/Core=new,rhev-m-3/vds |te_6/Security=new,sam-1/kat |m-jsonrpc-java=new,rhn_sate |ello=new |llite_6/Security=new,sam-1/ | |katello=new |
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1372848 Depends On| |1372849
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |hghasemb@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/RESTEasy |sas=wontfix,bpms-6/RESTEasy |=affected,brms-6/RESTEasy=a |=affected,brms-6/RESTEasy=a |ffected,jdg-6/Build=new,jdv |ffected,jdg-6/Build=new,jdv |-6/RESTEasy=affected,brms-5 |-6/RESTEasy=affected,brms-5 |/Security=wontfix,soap-5/Se |/Security=wontfix,soap-5/Se |curity=wontfix,fsw-6/RESTEa |curity=wontfix,fsw-6/RESTEa |sy=affected,fuse-6/SwitchYa |sy=affected,fuse-6/SwitchYa |rd=new,jon-3/REST=wontfix,j |rd=wontfix,jon-3/REST=wontf |pp-6/Requirements=new,rhsso |ix,jpp-6/Requirements=new,r |-7/Core=new,rhev-m-3/vdsm-j |hsso-7/Core=new,rhev-m-3/vd |sonrpc-java=new,rhn_satelli |sm-jsonrpc-java=new,rhn_sat |te_6/Security=new,sam-1/kat |ellite_6/Security=new,sam-1 |ello=new |/katello=new
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/RESTEasy |sas=wontfix,bpms-6/RESTEasy |=affected,brms-6/RESTEasy=a |=affected,brms-6/RESTEasy=a |ffected,jdg-6/Build=new,jdv |ffected,jdg-6/Build=new,jdv |-6/RESTEasy=affected,brms-5 |-6/RESTEasy=affected,brms-5 |/Security=wontfix,soap-5/Se |/Security=wontfix,soap-5/Se |curity=wontfix,fsw-6/RESTEa |curity=wontfix,fsw-6/RESTEa |sy=affected,fuse-6/SwitchYa |sy=affected,fuse-6/SwitchYa |rd=wontfix,jon-3/REST=wontf |rd=affected,jon-3/REST=wont |ix,jpp-6/Requirements=new,r |fix,jpp-6/Requirements=new, |hsso-7/Core=new,rhev-m-3/vd |rhsso-7/Core=new,rhev-m-3/v |sm-jsonrpc-java=new,rhn_sat |dsm-jsonrpc-java=new,rhn_sa |ellite_6/Security=new,sam-1 |tellite_6/Security=new,sam- |/katello=new |1/katello=new
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/RESTEasy |sas=wontfix,bpms-6/RESTEasy |=affected,brms-6/RESTEasy=a |=affected,brms-6/RESTEasy=a |ffected,jdg-6/Build=new,jdv |ffected,jdg-6/Build=new,jdv |-6/RESTEasy=affected,brms-5 |-6/RESTEasy=notaffected,brm |/Security=wontfix,soap-5/Se |s-5/Security=wontfix,soap-5 |curity=wontfix,fsw-6/RESTEa |/Security=wontfix,fsw-6/RES |sy=affected,fuse-6/SwitchYa |TEasy=affected,fuse-6/Switc |rd=affected,jon-3/REST=wont |hYard=affected,jon-3/REST=w |fix,jpp-6/Requirements=new, |ontfix,jpp-6/Requirements=n |rhsso-7/Core=new,rhev-m-3/v |ew,rhsso-7/Core=new,rhev-m- |dsm-jsonrpc-java=new,rhn_sa |3/vdsm-jsonrpc-java=new,rhn |tellite_6/Security=new,sam- |_satellite_6/Security=new,s |1/katello=new |am-1/katello=new
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Via RHSA-2017:0517 https://rhn.redhat.com/errata/RHSA-2017-0517.html
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #13 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
Via RHSA-2017:0828 https://rhn.redhat.com/errata/RHSA-2017-0828.html
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #14 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
Via RHSA-2017:0827 https://rhn.redhat.com/errata/RHSA-2017-0827.html
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #15 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5
Via RHSA-2017:0826 https://rhn.redhat.com/errata/RHSA-2017-0826.html
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #16 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
Via RHSA-2017:0829 https://rhn.redhat.com/errata/RHSA-2017-0829.html
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #17 from Jason Shepherd jshepherd@redhat.com --- Statement:
In order to reduce the risk of being exploited we changed the default setting for Resteasy not to decode requests with gzip compression. If you are accepting requests which are compressed with gzip compression you need to re-enable it by following the details in the KCS solution:
https://access.redhat.com/solutions/2986611
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |psotirop@redhat.com Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/RESTEasy |sas=wontfix,bpms-6/RESTEasy |=affected,brms-6/RESTEasy=a |=affected,brms-6/RESTEasy=a |ffected,jdg-6/Build=new,jdv |ffected,jdg-6/Build=new,jdv |-6/RESTEasy=notaffected,brm |-6/RESTEasy=notaffected,brm |s-5/Security=wontfix,soap-5 |s-5/Security=wontfix,soap-5 |/Security=wontfix,fsw-6/RES |/Security=wontfix,fsw-6/RES |TEasy=affected,fuse-6/Switc |TEasy=affected,fuse-6/Switc |hYard=affected,jon-3/REST=w |hYard=affected,jon-3/REST=w |ontfix,jpp-6/Requirements=n |ontfix,jpp-6/Requirements=n |ew,rhsso-7/Core=new,rhev-m- |ew,rhsso-7/Core=new,rhev-m- |3/vdsm-jsonrpc-java=new,rhn |3/vdsm-jsonrpc-java=new,rhn |_satellite_6/Security=new,s |_satellite_6/Security=new,s |am-1/katello=new |am-1/katello=new,eap-7/rest | |easy=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1456316, 1456314, 1456313, | |1456317, 1456315
--- Comment #19 from Jason Shepherd jshepherd@redhat.com --- Created resteasy tracking bugs for this issue:
Affects: fedora-all [bug 1456313]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1456313 [Bug 1456313] CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1460775
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss BRMS
Via RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1676
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss BPM Suite
Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/RESTEasy |sas=wontfix,bpms-6/RESTEasy |=affected,brms-6/RESTEasy=a |=affected,brms-6/RESTEasy=a |ffected,jdg-6/Build=new,jdv |ffected,jdg-6/Build=new,jdv |-6/RESTEasy=notaffected,brm |-6/RESTEasy=notaffected,brm |s-5/Security=wontfix,soap-5 |s-5/Security=wontfix,soap-5 |/Security=wontfix,fsw-6/RES |/Security=wontfix,fsw-6/RES |TEasy=affected,fuse-6/Switc |TEasy=wontfix,fuse-6/Switch |hYard=affected,jon-3/REST=w |Yard=affected,jon-3/REST=wo |ontfix,jpp-6/Requirements=n |ntfix,jpp-6/Requirements=ne |ew,rhsso-7/Core=new,rhev-m- |w,rhsso-7/Core=new,rhev-m-3 |3/vdsm-jsonrpc-java=new,rhn |/vdsm-jsonrpc-java=new,rhn_ |_satellite_6/Security=new,s |satellite_6/Security=new,sa |am-1/katello=new,eap-7/rest |m-1/katello=new,eap-7/reste |easy=affected |asy=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |lzap@redhat.com, | |mhulan@redhat.com, | |tbrisker@redhat.com Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/RESTEasy |sas=wontfix,bpms-6/RESTEasy |=affected,brms-6/RESTEasy=a |=affected,brms-6/RESTEasy=a |ffected,jdg-6/Build=new,jdv |ffected,jdg-6/Build=new,jdv |-6/RESTEasy=notaffected,brm |-6/RESTEasy=notaffected,brm |s-5/Security=wontfix,soap-5 |s-5/Security=wontfix,soap-5 |/Security=wontfix,fsw-6/RES |/Security=wontfix,fsw-6/RES |TEasy=wontfix,fuse-6/Switch |TEasy=wontfix,fuse-6/Switch |Yard=affected,jon-3/REST=wo |Yard=affected,jon-3/REST=wo |ntfix,jpp-6/Requirements=ne |ntfix,jpp-6/Requirements=ne |w,rhsso-7/Core=new,rhev-m-3 |w,rhsso-7/Core=new,rhev-m-3 |/vdsm-jsonrpc-java=new,rhn_ |/vdsm-jsonrpc-java=new,rhn_ |satellite_6/Security=new,sa |satellite_6/Security=affect |m-1/katello=new,eap-7/reste |ed,sam-1/katello=new,eap-7/ |asy=affected |resteasy=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1471275, 1471276
--- Comment #25 from Kurt Seifried kseifried@redhat.com --- Created resteasy tracking bugs for this issue:
Affects: fedora-all [bug 1471275]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1471275 [Bug 1471275] CVE-2016-6346 RESTEasy: Abuse of GZIPInterceptor in RESTEasy can lead to denial of service attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #27 from Jason Shepherd jshepherd@redhat.com --- Statement:
This issue was fixed in EAP 7.1.0, but was not fixed in 7.0.7
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Bharti Kundal bkundal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1527613
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #28 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2018:0003 https://access.redhat.com/errata/RHSA-2018:0003
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #29 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
Via RHSA-2018:0002 https://access.redhat.com/errata/RHSA-2018:0002
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #30 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7
Via RHSA-2018:0004 https://access.redhat.com/errata/RHSA-2018:0004
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #31 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6
Via RHSA-2018:0005 https://access.redhat.com/errata/RHSA-2018:0005
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |drieden@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/RESTEasy |sas=wontfix,bpms-6/RESTEasy |=affected,brms-6/RESTEasy=a |=affected,brms-6/RESTEasy=a |ffected,jdg-6/Build=new,jdv |ffected,jdg-6/Build=affecte |-6/RESTEasy=notaffected,brm |d,jdv-6/RESTEasy=notaffecte |s-5/Security=wontfix,soap-5 |d,brms-5/Security=wontfix,s |/Security=wontfix,fsw-6/RES |oap-5/Security=wontfix,fsw- |TEasy=wontfix,fuse-6/Switch |6/RESTEasy=wontfix,fuse-6/S |Yard=affected,jon-3/REST=wo |witchYard=affected,jon-3/RE |ntfix,jpp-6/Requirements=ne |ST=wontfix,jpp-6/Requiremen |w,rhsso-7/Core=new,rhev-m-3 |ts=notaffected,rhsso-7/Core |/vdsm-jsonrpc-java=new,rhn_ |=notaffected,rhev-m-3/vdsm- |satellite_6/Security=affect |jsonrpc-java=new,rhn_satell |ed,sam-1/katello=new,eap-7/ |ite_6/Security=affected,sam |resteasy=affected |-1/katello=new,eap-7/restea | |sy=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/RESTEasy |sas=wontfix,bpms-6/RESTEasy |=affected,brms-6/RESTEasy=a |=affected,brms-6/RESTEasy=a |ffected,jdg-6/Build=affecte |ffected,jdg-6/Build=notaffe |d,jdv-6/RESTEasy=notaffecte |cted,jdv-6/RESTEasy=notaffe |d,brms-5/Security=wontfix,s |cted,brms-5/Security=wontfi |oap-5/Security=wontfix,fsw- |x,soap-5/Security=wontfix,f |6/RESTEasy=wontfix,fuse-6/S |sw-6/RESTEasy=wontfix,fuse- |witchYard=affected,jon-3/RE |6/SwitchYard=affected,jon-3 |ST=wontfix,jpp-6/Requiremen |/REST=wontfix,jpp-6/Require |ts=notaffected,rhsso-7/Core |ments=notaffected,rhsso-7/C |=notaffected,rhev-m-3/vdsm- |ore=notaffected,rhev-m-3/vd |jsonrpc-java=new,rhn_satell |sm-jsonrpc-java=new,rhn_sat |ite_6/Security=affected,sam |ellite_6/Security=affected, |-1/katello=new,eap-7/restea |sam-1/katello=new,eap-7/res |sy=affected |teasy=affected,jdg-7/restea | |sy=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #33 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Decision Manager
Via RHSA-2018:2143 https://access.redhat.com/errata/RHSA-2018:2143
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:2143
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |avibelli@redhat.com, | |bgeorges@redhat.com, | |jbalunas@redhat.com, | |krathod@redhat.com, | |lthon@redhat.com, | |mszynkie@redhat.com, | |pgallagh@redhat.com, | |rruss@redhat.com, | |trogers@redhat.com Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0901,reported=20160829,sour |0901,reported=20160829,sour |ce=researcher,cvss2=5.0/AV: |ce=researcher,cvss2=5.0/AV: |N/AC:L/Au:N/C:N/I:N/A:P,cvs |N/AC:L/Au:N/C:N/I:N/A:P,cvs |s3=7.5/CVSS:3.0/AV:N/AC:L/P |s3=7.5/CVSS:3.0/AV:N/AC:L/P |R:N/UI:N/S:U/C:N/I:N/A:H,ea |R:N/UI:N/S:U/C:N/I:N/A:H,ea |p-7/REST=affected,fedora-al |p-7/REST=affected,fedora-al |l/resteasy=affected,eap-6/R |l/resteasy=affected,eap-6/R |ESTEasy=affected,eap-5/jbos |ESTEasy=affected,eap-5/jbos |sas=wontfix,bpms-6/RESTEasy |sas=wontfix,bpms-6/RESTEasy |=affected,brms-6/RESTEasy=a |=affected,brms-6/RESTEasy=a |ffected,jdg-6/Build=notaffe |ffected,jdg-6/Build=notaffe |cted,jdv-6/RESTEasy=notaffe |cted,jdv-6/RESTEasy=notaffe |cted,brms-5/Security=wontfi |cted,brms-5/Security=wontfi |x,soap-5/Security=wontfix,f |x,soap-5/Security=wontfix,f |sw-6/RESTEasy=wontfix,fuse- |sw-6/RESTEasy=wontfix,fuse- |6/SwitchYard=affected,jon-3 |6/SwitchYard=affected,jon-3 |/REST=wontfix,jpp-6/Require |/REST=wontfix,jpp-6/Require |ments=notaffected,rhsso-7/C |ments=notaffected,rhsso-7/C |ore=notaffected,rhev-m-3/vd |ore=notaffected,rhev-m-3/vd |sm-jsonrpc-java=new,rhn_sat |sm-jsonrpc-java=new,rhn_sat |ellite_6/Security=affected, |ellite_6/Security=affected, |sam-1/katello=new,eap-7/res |sam-1/katello=new,eap-7/res |teasy=affected,jdg-7/restea |teasy=affected,jdg-7/restea |sy=affected |sy=affected,swarm-7/RESTEas | |y=notaffected
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #34 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Process Automation
Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675
https://bugzilla.redhat.com/show_bug.cgi?id=1372120
--- Comment #34 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Process Automation
Via RHSA-2017:1675 https://access.redhat.com/errata/RHSA-2017:1675
--- Comment #35 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Decision Manager
Via RHSA-2017:1676 https://access.redhat.com/errata/RHSA-2017:1676
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com -
Red Hat Bugzilla