CVE-2016-6345 in RESTEasy
Summary
by MITRE
RESTEasy allows remote authenticated users to obtain sensitive information by leveraging "insufficient use of random values" in async jobs.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2025
The vulnerability identified as CVE-2016-6345 affects the RESTEasy framework, a popular java-based implementation of the jakarta restful web services specification. This issue stems from insufficient randomness in the generation of identifiers used within asynchronous job processing mechanisms, creating a predictable pattern that malicious authenticated users can exploit to gain unauthorized access to sensitive information. The vulnerability specifically manifests in the way RESTEasy handles asynchronous operations where job identifiers and related metadata are generated without adequate entropy, making them susceptible to prediction attacks.
The technical flaw resides in the cryptographic weakness of random number generation within the framework's async job management system. When RESTEasy processes asynchronous operations, it creates job identifiers and related tracking values that should be unpredictable to prevent unauthorized access to other users' data. However, the implementation uses pseudo-random number generators or insufficient entropy sources that produce predictable sequences, allowing attackers who have authenticated to the system to infer or calculate the identifiers of other users' asynchronous jobs. This weakness directly maps to CWE-330, which addresses insufficient randomness in security-critical operations, and represents a significant deviation from established security practices for generating cryptographically secure identifiers.
The operational impact of this vulnerability extends beyond simple information disclosure, as authenticated attackers can leverage this predictability to access not only asynchronous job data but potentially other sensitive system resources that rely on similar identifier patterns. Attackers can use this information to perform unauthorized operations such as retrieving job results, accessing intermediate processing states, or even manipulating job execution flows. The vulnerability is particularly concerning in enterprise environments where RESTEasy is used for mission-critical applications, as it can lead to data breaches, service disruption, and potential lateral movement within the network. From an attack perspective, this vulnerability aligns with ATT&CK technique T1566, which involves credential access through the exploitation of weak authentication mechanisms or predictable identifiers, and can be classified under T1083 for the discovery of system information through predictable resource access patterns.
Organizations utilizing RESTEasy should implement immediate mitigations including upgrading to patched versions of the framework, ensuring proper entropy sources are used for identifier generation, and implementing additional access controls around asynchronous job management interfaces. The recommended approach involves configuring the application servers to use cryptographically secure random number generators and implementing proper input validation for job identifiers. System administrators should also consider implementing monitoring solutions to detect unusual patterns of job access or retrieval attempts that might indicate exploitation attempts. Additionally, organizations should conduct security assessments to identify other components that might be using similar predictable identifier generation patterns, as the vulnerability may not be isolated to RESTEasy alone. The mitigation strategy should align with NIST SP 800-53 requirements for secure random number generation and should be part of broader application security controls that address the principle of least privilege and secure identifier management practices.