SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Enterprise_linux_desktop | Redhat | 7.0 (including) | 7.0 (including) |
| Enterprise_linux_hpc_node | Redhat | 7.0 (including) | 7.0 (including) |
| Enterprise_linux_server | Redhat | 7.0 (including) | 7.0 (including) |
| Enterprise_linux_workstation | Redhat | 7.0 (including) | 7.0 (including) |
| Red Hat Enterprise Linux 7 | RedHat | resteasy-base-0:3.0.6-4.el7 | * |
| Resteasy | Ubuntu | artful | * |
| Resteasy | Ubuntu | esm-apps/xenial | * |
| Resteasy | Ubuntu | upstream | * |
| Resteasy | Ubuntu | xenial | * |
| Resteasy | Ubuntu | yakkety | * |
| Resteasy | Ubuntu | zesty | * |
| Resteasy3.0 | Ubuntu | upstream | * |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.