==========================================================================
Ubuntu Security Notice USN-7630-1
July 10, 2025

resteasy, resteasy3.0 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.04
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in resteasy, resteasy3.0.

Software Description:
- resteasy: A project that provides various frameworks to help you build RESTful Web Services and RESTful Java applications
- resteasy3.0: A project that provides various frameworks to help you build RESTful Web Services and RESTful Java applications

Details:

It was discovered that RESTEasy made insufficient use of random values in
asynchronous jobs. An attacker could possibly use this issue to steal
user data. This issue only affected Ubuntu 14.04 LTS. (CVE-2016-6345)

It was discovered that RESTEasy enabled a vulnerable GZIP decompression
module by default. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 14.04 LTS.
(CVE-2016-6346)

It was discovered that RESTEasy improperly made use of unsanitized data
while handling certain errors. An attacker could possibly use this issue
to cause a denial of service or execute arbitrary code.
This issue only affected Ubuntu 14.04 LTS. (CVE-2016-6347)

It was discovered that RESTEasy enabled a vulnerable JSON manipulation
module by default. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code.
This issue only affected Ubuntu 14.04 LTS. (CVE-2016-6348)

It was discovered that RESTEasy enabled a vulnerable deserialization
module by default. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code.
This issue only affected Ubuntu 14.04 LTS. (CVE-2016-7050)

Nikos Papadopoulos discovered that RESTEasy improperly handled URL encoding
when certain errors occur. An attacker could possibly use this issue to
modify the app's behavior for other users throughout the network.
This issue did not affect resteasy3.0 in Ubuntu 24.04 LTS, Ubuntu 24.10,
and Ubuntu 25.04. (CVE-2020-10688)

Mirko Selber discovered that RESTEasy improperly validated user input
during HTTP response construction. An attacker could possibly use this
issue to to cause a denial of service or execute arbitrary code.
This issue did not affect resteasy3.0 in Ubuntu 22.04 LTS,
Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04. (CVE-2020-1695)

It was discovered that RESTEasy improperly handled receiving the
WebApplicationException during a client call. An attacker could possibly
use this issue to obtain potentially sensitive server information.
(CVE-2020-25633)

It was discovered that RESTEasy improperly populated exception responses
with endpoint class and method names. An attacker could possibly use this
issue to obtain potentially sensitive server information. (CVE-2021-20289)

It was discovered that RESTEasy used improper permissions when creating
temporary files. An attacker could possibly use this issue to get access to
sensitive data. (CVE-2023-0482)

It was discovered that RESTEasy improperly handled certain HTTP requests
containing ASCII control characters. An attacker could possibly use this
issue to cause a denial of service. (CVE-2024-9622)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.04
  libresteasy-java                3.6.2-3ubuntu0.25.04.1
  libresteasy3.0-java             3.0.26-6ubuntu0.25.04.1

Ubuntu 24.10
  libresteasy3.0-java             3.0.26-6ubuntu0.24.10.1

Ubuntu 24.04 LTS
  libresteasy3.0-java             3.0.26-6ubuntu0.24.04.1

Ubuntu 22.04 LTS
  libresteasy3.0-java             3.0.26-3ubuntu0.1

Ubuntu 20.04 LTS
  libresteasy3.0-java             3.0.26-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  libresteasy3.0-java             3.0.26-1~18.04.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS
  libresteasy-java                3.0.6-3ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7630-1
  CVE-2016-6345, CVE-2016-6346, CVE-2016-6347, CVE-2016-6348,
  CVE-2016-7050, CVE-2020-10688, CVE-2020-1695, CVE-2020-25633,
  CVE-2021-20289, CVE-2023-0482, CVE-2024-9622

Package Information:
  https://launchpad.net/ubuntu/+source/resteasy/3.6.2-3ubuntu0.25.04.1
  https://launchpad.net/ubuntu/+source/resteasy3.0/3.0.26-6ubuntu0.25.04.1
  https://launchpad.net/ubuntu/+source/resteasy/3.0.26-6ubuntu0.24.10.1
  https://launchpad.net/ubuntu/+source/resteasy3.0/3.0.26-6ubuntu0.24.10.1
  https://launchpad.net/ubuntu/+source/resteasy/3.0.26-6ubuntu0.24.04.1
  https://launchpad.net/ubuntu/+source/resteasy3.0/3.0.26-6ubuntu0.24.04.1
  https://launchpad.net/ubuntu/+source/resteasy/3.0.26-3ubuntu0.1
  https://launchpad.net/ubuntu/+source/resteasy3.0/3.0.26-3ubuntu0.1