JBoss RESTEasy before version 3.1.2 could be forced into parsing a request with YamlProvider, resulting in unmarshalling of potentially untrusted data which could allow an attacker to execute arbitrary code with RESTEasy application permissions.
CVE-2016-9606
This high-severity CVE scores 8.1 under NVD CVSS v3. EPSS exploit probability: 2.3%, top 15% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 8.1
- EG Score
- 8.1(medium)
- EPSS
- 92.7%
- KEV
- Not listed
Published
March 9, 2018
Last Modified
November 21, 2024
References (32)
- secalert@redhathttp://rhn.redhat.com/errata/RHSA-2017-1255.html
- secalert@redhathttp://rhn.redhat.com/errata/RHSA-2017-1409.html
- secalert@redhathttp://www.securityfocus.com/bid/94940
- secalert@redhathttp://www.securitytracker.com/id/1038524
- secalert@redhathttps://access.redhat.com/errata/RHSA-2017:1253
- secalert@redhathttps://access.redhat.com/errata/RHSA-2017:1254
- secalert@redhathttps://access.redhat.com/errata/RHSA-2017:1256
- secalert@redhathttps://access.redhat.com/errata/RHSA-2017:1260
- secalert@redhathttps://access.redhat.com/errata/RHSA-2017:1410
- secalert@redhathttps://access.redhat.com/errata/RHSA-2017:1411
- secalert@redhathttps://access.redhat.com/errata/RHSA-2017:1412
- secalert@redhathttps://access.redhat.com/errata/RHSA-2017:1675
- secalert@redhathttps://access.redhat.com/errata/RHSA-2017:1676
- secalert@redhathttps://access.redhat.com/errata/RHSA-2018:2909
- secalert@redhathttps://access.redhat.com/errata/RHSA-2018:2913
Vendor Advisories for CVE-2016-9606(4)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2017:1412Red Hat Product SecurityMedium
Red Hat Security Advisory: eap7-jboss-ec2-eap security update
- RHSA-2017:1410Red Hat Product SecurityMedium
Red Hat Security Advisory: JBoss Enterprise Application Platform 7.0.6 on Red Hat Enterprise Linux 6
- RHSA-2017:1411Red Hat Product SecurityMedium
Red Hat Security Advisory: JBoss Enterprise Application Platform 7.0.6 on Red Hat Enterprise Linux 7
- RHSA-2017:1409Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform security update
Patch Availability(13)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | patch | 2018-10-11 | redhat |
| redhat | patch | 2018-10-11 | redhat |
| redhat | patch | 2017-07-04 | redhat |
| redhat | patch | 2017-07-04 | redhat |
| redhat | patch | 2017-06-07 | redhat |
| redhat | eap7-wss4j-0:2.1.8-2.redhat_1.1.ep7.el6 | 2017-06-07 | redhat |
| redhat | eap7-jboss-ec2-eap-0:7.0.6-1.GA_redhat_1.ep7.el7 | 2017-06-07 | redhat |
| redhat | eap7-wss4j-0:2.1.8-2.redhat_1.1.ep7.el7 | 2017-06-07 | redhat |
| redhat | resteasy-0:2.3.19-1.Final_redhat_1.1.ep6.el5 | 2017-05-18 | redhat |
| redhat | patch | 2017-05-18 | redhat |
| redhat | resteasy-0:2.3.19-1.Final_redhat_1.1.ep6.el6 | 2017-05-18 | redhat |
| redhat | jboss-ec2-eap-0:7.5.15-3.Final_redhat_3.ep6.el6 | 2017-05-18 | redhat |
| redhat | resteasy-0:2.3.19-1.Final_redhat_1.1.ep6.el7 | 2017-05-18 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.jboss.resteasy:resteasy-bom | 1.2.1.GA ... 3.1.1.Final (68 versions) | 3.1.2.Final | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(9)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2017:1253MODERATE2016-12-15
RHSA-2017:1253 — Moderate
- Red HatRHSA-2017:1254MODERATE2016-12-15
RHSA-2017:1254 — Moderate
- Red HatRHSA-2017:1255MODERATE2016-12-15
RHSA-2017:1255 — Moderate
- Red HatRHSA-2017:1256MODERATE2016-12-15
RHSA-2017:1256 — Moderate
- Red HatRHSA-2017:1260MODERATE2016-12-15
RHSA-2017:1260 — Moderate
- Red HatRHSA-2017:1675MODERATE2016-12-15
RHSA-2017:1675 — Moderate
- Red HatRHSA-2017:1676MODERATE2016-12-15
RHSA-2017:1676 — Moderate
- Red HatRHSA-2018:2909MODERATE2016-12-15
RHSA-2018:2909 — Moderate
- Red HatRHSA-2018:2913MODERATE2016-12-15
RHSA-2018:2913 — Moderate
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-20
- CVE-2002-2444EG 9.8CRITICAL
- CVE-2005-0116NVD 0.0EG 9.0EPSS 99%NONE
- CVE-2002-1359NVD 0.0EG 9.0EPSS 100%NONE
- CVE-2000-0380NVD 0.0EG 9.0EPSS 98%NONE
- CVE-2000-0258EG 7.5EPSS 97%HIGH
- CVE-2004-2771EG 0.0EPSS 93%NONE
- CVE-2002-2443EG 0.0EPSS 93%NONE
- CVE-2002-2433EG 0.0NONE
- CVE-2003-1569EG 0.0NONE
- CVE-2003-1568EG 0.0NONE
Frequently asked(5)
What is CVE-2016-9606?
When was CVE-2016-9606 disclosed?
Is CVE-2016-9606 actively exploited?
What is the CVSS score of CVE-2016-9606?
How do I remediate CVE-2016-9606?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2016-9606
Is Your Infrastructure Affected by CVE-2016-9606?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.