Candidate: CVE-2016-9606
PublicDate: 2018-03-09 20:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9606
 https://issues.jboss.org/browse/RESTEASY-1618
 https://bugzilla.redhat.com/show_bug.cgi?id=1400644
Description:
 JBoss RESTEasy before version 3.1.2 could be forced into parsing a request
 with YamlProvider, resulting in unmarshalling of potentially untrusted data
 which could allow an attacker to execute arbitrary code with RESTEasy
 application permissions.
Ubuntu-Description:
Notes:
 sbeattie> in some places, incorrectly referred to as CVE-2016-9571
   due to a double assignment
 msalvatore> Can be mitigated by adding authentiation and authorization to any endpoint expecting Yaml content or disabling YamlProvider.
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851430
Priority: medium
Discovered-by: Moritz Bechler
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]

Patches_resteasy:
 upstream: https://github.com/resteasy/Resteasy/commit/bccadffa2df8ecaff6616df18d2f3b1210866b99 (3.1.x)
 upstream: https://github.com/resteasy/Resteasy/commit/26e2340c50acdcec0e804796402f83f18ae165c5 (3.0.x)
upstream_resteasy: released (3.1.2, 3.0.22)
precise_resteasy: DNE
precise/esm_resteasy: DNE
trusty_resteasy: DNE
trusty/esm_resteasy: DNE
vivid/stable-phone-overlay_resteasy: DNE
vivid/ubuntu-core_resteasy: DNE
xenial_resteasy: ignored (end of standard support, was needed)
yakkety_resteasy: ignored (reached end-of-life)
zesty_resteasy: ignored (reached end-of-life)
artful_resteasy: ignored (reached end-of-life)
bionic_resteasy: DNE
cosmic_resteasy: DNE
disco_resteasy: not-affected (3.1.4-1)
eoan_resteasy: not-affected (3.1.4-1)
focal_resteasy: not-affected (3.1.4-1)
groovy_resteasy: not-affected (3.1.4-1)
hirsute_resteasy: not-affected (3.1.4-1)
impish_resteasy: not-affected (3.1.4-1)
jammy_resteasy: not-affected (3.1.4-1)
devel_resteasy: not-affected (3.1.4-1)