Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assorted JAX-RS security fixes - CVE-2023-6267 and CVE-2023-5675 #38414

Merged
merged 3 commits into from
Jan 27, 2024
Merged

Assorted JAX-RS security fixes - CVE-2023-6267 and CVE-2023-5675 #38414

merged 3 commits into from
Jan 27, 2024

Conversation

gsmet
Copy link
Member

@gsmet gsmet commented Jan 26, 2024

These fixes were written by @michalvavrik .

Fixes CVE-2023-6267
Fixes CVE-2023-5675

@michalvavrik
Copy link
Member

I see the failures.

  • The stacktrace for ElytronOauth2ExtensionResourceTestCase.testGrpcAuthorization is not helpful, this happens when you try to access RoutingContext but I can't see how injection in JAX-RS filter could cause that inside gRPC handler.
  • SmallRye Token Propagation is about same issue

I'll need to debug it before I make any assumption. Maybe not today, hope it can wait for a day or so. Anyway, it looks like related to latest changes in gRPC security in 3.7, so I'd not worry about 3.2. I'll let you know.

@michalvavrik
Copy link
Member

You probably get it from what I wrote, but without further digging I'd expect 3.6.x not to be affected by these failures (hope I got it right), so it shouldn't block you and I'll have time to look at it tomorrow and so on.

@gsmet
Copy link
Member Author

gsmet commented Jan 26, 2024

@michalvavrik 3.7 is planned for Wednesday. If I can merge a fix by Tuesday evening, that's all fine.

@quarkus-bot quarkus-bot

This comment has been minimized.

Sign in to view
@michalvavrik
Copy link
Member

@gsmet 36bfe4c

@michalvavrik
Copy link
Member

I do recommend to apply the fix on 3.6 branch just to be safe as well, though I'm currently not aware of concrete scenario where this could cause a problem.

@michalvavrik @gsmet
Move RESTEasy Classic RBAC security checks to JAX-RS filter
6cd1598 
(cherry picked from commit 4a82745c000813b4153a1775329776672af95cfa)
@michalvavrik @gsmet
Fix JAX-RS default security checks for inherited / transformed endpoints
d802748 
(cherry picked from commit 6f3d752d157cc8eb22cc86c521cd6f029f67f42f)
@michalvavrik @gsmet
Do not require RoutingContext outside or RESTEasy handler
3dcf570 
(cherry picked from commit 36bfe4c)
@gsmet gsmet force-pushed the jaxrs-security-fixes branch from 467cc9c to 3dcf570 Compare January 26, 2024 18:33
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Jan 26, 2024
edited by github-actions bot
Loading

✔️ The latest workflow run for the pull request has completed successfully.

It should be safe to merge provided you have a look at the other checks in the summary.

You can consult the Develocity build scans.

@gsmet gsmet merged commit 796c38a into quarkusio:main Jan 27, 2024
50 checks passed
@quarkus-bot quarkus-bot bot added this to the 3.9 - main milestone Jan 27, 2024
@codespearhead codespearhead mentioned this pull request Jun 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/rest area/resteasy-classic area/security
Projects
None yet
Milestone
3.9.0.CR1
Development

Successfully merging this pull request may close these issues.
2 participants
@gsmet @michalvavrik