ID CVE-2016-7050
Summary SerializableProvider in RESTEasy in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows remote attackers to execute arbitrary code.
References
Vulnerable Configurations
  • cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 16-06-2017 - 12:03)
Impact:
Exploitability:
CWE CWE-502
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
bugzilla
id 1378613
title CVE-2016-7050 RESTEasy:SerializableProvider enabled by default and deserializes untrusted data
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
  • OR
    • AND
      • comment resteasy-base is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604015
      • comment resteasy-base is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011006
    • AND
      • comment resteasy-base-atom-provider is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604005
      • comment resteasy-base-atom-provider is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011010
    • AND
      • comment resteasy-base-client is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604013
      • comment resteasy-base-client is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162604014
    • AND
      • comment resteasy-base-jackson-provider is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604021
      • comment resteasy-base-jackson-provider is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011018
    • AND
      • comment resteasy-base-javadoc is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604019
      • comment resteasy-base-javadoc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011022
    • AND
      • comment resteasy-base-jaxb-provider is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604007
      • comment resteasy-base-jaxb-provider is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011026
    • AND
      • comment resteasy-base-jaxrs is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604023
      • comment resteasy-base-jaxrs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011024
    • AND
      • comment resteasy-base-jaxrs-all is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604009
      • comment resteasy-base-jaxrs-all is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011012
    • AND
      • comment resteasy-base-jaxrs-api is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604025
      • comment resteasy-base-jaxrs-api is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011020
    • AND
      • comment resteasy-base-jettison-provider is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604011
      • comment resteasy-base-jettison-provider is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011014
    • AND
      • comment resteasy-base-providers-pom is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604029
      • comment resteasy-base-providers-pom is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011016
    • AND
      • comment resteasy-base-resteasy-pom is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604017
      • comment resteasy-base-resteasy-pom is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162604018
    • AND
      • comment resteasy-base-tjws is earlier than 0:3.0.6-4.el7
        oval oval:com.redhat.rhsa:tst:20162604027
      • comment resteasy-base-tjws is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20141011008
rhsa
id RHSA-2016:2604
released 2016-11-03
severity Important
title RHSA-2016:2604: resteasy-base security and bug fix update (Important)
rpms
  • resteasy-base-0:3.0.6-4.el7
  • resteasy-base-atom-provider-0:3.0.6-4.el7
  • resteasy-base-client-0:3.0.6-4.el7
  • resteasy-base-jackson-provider-0:3.0.6-4.el7
  • resteasy-base-javadoc-0:3.0.6-4.el7
  • resteasy-base-jaxb-provider-0:3.0.6-4.el7
  • resteasy-base-jaxrs-0:3.0.6-4.el7
  • resteasy-base-jaxrs-all-0:3.0.6-4.el7
  • resteasy-base-jaxrs-api-0:3.0.6-4.el7
  • resteasy-base-jettison-provider-0:3.0.6-4.el7
  • resteasy-base-providers-pom-0:3.0.6-4.el7
  • resteasy-base-resteasy-pom-0:3.0.6-4.el7
  • resteasy-base-tjws-0:3.0.6-4.el7
refmap via4
confirm https://bugzilla.redhat.com/show_bug.cgi?id=1378613
Last major update 16-06-2017 - 12:03
Published 08-06-2017 - 19:29
Back to Top