Bug 1107901 (CVE-2014-3490)
| Summary: | CVE-2014-3490 RESTEasy: XXE via parameter entities | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | David Jorm <djorm> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alee, bbaranow, bdawidow, bkearney, brms-jira, cbillett, cdewolf, chazlett, cpelland, dandread, darran.lofthouse, epp-bugs, fnasser, grocha, huwang, jason.greene, jawilson, jbpapp-maint, jcoleman, jdg-bugs, jpallich, jrusnack, juan.hernandez, katello-bugs, kconner, kejohnso, lgao, mgoldman, mjc, mmccune, mnovotny, mweiler, myarboro, pgier, pslavice, rhq-maint, rsigal, rsvoboda, security-response-team, soa-p-jira, spinder, theute, tkirby, tomckay, ttarrant, vtunka, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | resteasy 3.0.9.Final, resteasy 2.3.8.SP2, resteasy 2.3.8.SP1-redhat-1 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:33:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1121906, 1121894, 1121895, 1121896, 1121897, 1121898, 1121899, 1121900, 1121901, 1121902, 1121903, 1121904, 1121905, 1121907, 1121908, 1121909, 1121910, 1121911, 1121912, 1121913, 1121914, 1121915, 1121916, 1121917, 1121918, 1130248, 1160697 | ||
| Bug Blocks: | 1082938, 1105426, 1107902, 1121942, 1128762, 1139455, 1142503, 1181883, 1182400, 1182419, 1187398, 1200191 | ||
|
Description
David Jorm
2014-06-11 01:51:33 UTC
Acknowledgements: This issue was discovered by David Jorm of Red Hat Product Security. Upstream bug (currently private): https://issues.jboss.org/browse/RESTEASY-1073 Upstream patch commit: https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83 Weinan's PR https://github.com/resteasy/Resteasy/pull/533 (Branch_2_3) and my PR https://github.com/resteasy/Resteasy/pull/521 (master branch) have been applied, and RESTEASY-1073 is closed. This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1011 https://rhn.redhat.com/errata/RHSA-2014-1011.html This issue has been addressed in following products: JBoss Enterprise Application Platform 6.3.0 Via RHSA-2014:1039 https://rhn.redhat.com/errata/RHSA-2014-1039.html This issue has been addressed in following products: JBEAP 6.3.z for RHEL 6 JBEAP 6.3.z for RHEL 5 JBEAP 6.3.z for RHEL 7 Via RHSA-2014:1040 https://rhn.redhat.com/errata/RHSA-2014-1040.html Created resteasy tracking bugs for this issue: Affects: fedora-all [bug 1130248] This issue has been addressed in the following products: JBoss Data Grid 6.3.1 Via RHSA-2014:1298 https://rhn.redhat.com/errata/RHSA-2014-1298.html This issue has been addressed in the following products: JBoss Operations Network 3.3.0 Via RHSA-2014:1904 https://rhn.redhat.com/errata/RHSA-2014-1904.html This issue has been addressed in the following products: JBoss Web Framework Kit 2.7.0 Via RHSA-2015:0125 https://rhn.redhat.com/errata/RHSA-2015-0125.html This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html resteasy-3.0.6-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html |