It was found that the fix for CVE-2016-9606 in versions 3.0.22 and 3.1.2 was incomplete and Yaml unmarshalling in Resteasy is still possible via Yaml.load() in YamlProvider.
Yaml.load()
{ "availability": "No subscription required", "binaries": [ { "binary_name": "libresteasy-java", "binary_version": "3.6.2-2" } ] }
{ "availability": "No subscription required", "binaries": [ { "binary_name": "libresteasy3.0-java", "binary_version": "3.0.26-1" } ] }