Bug 1130383 (CVE-2014-3599)

Summary: CVE-2014-3599 HornetQ REST: XXE due to insecure configuration of RestEasy
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: georgi.geshev, grocha, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: hornetq-rest 2.5.0.Beta1 Doc Type: Bug Fix
Doc Text:
It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-06 05:00:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1135934    

Description Arun Babu Neelicattu 2014-08-15 05:35:45 UTC 
IssueDescription:

It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Comment 1 Arun Babu Neelicattu 2014-08-15 05:38:08 UTC 
Acknowledgements:

Red Hat would like to thank Georgi Geshev of MWR Labs for reporting this issue.
Comment 2 Arun Babu Neelicattu 2014-08-15 05:40:46 UTC 
Mitigation:

When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints:

<context-param>
        <param-name>resteasy.document.expand.entity.references</param-name>
        <param-value>false</param-value>
</context-param>

Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
Comment 3 Arun Babu Neelicattu 2014-08-15 08:53:48 UTC 
Upstream Issue:

https://issues.jboss.org/browse/HORNETQ-1390
Comment 4 Arun Babu Neelicattu 2014-08-15 09:22:55 UTC 
Statement:

Not Vulnerable. HornetQ REST is not provided by any Red Hat product.
Comment 5 Arun Babu Neelicattu 2014-09-29 13:25:21 UTC 
Upstream Fix:

https://github.com/hornetq/hornetq/commit/b3a63576371828d5f8e64ba7ccbcecb1da8111d2
Comment 6 Arun Babu Neelicattu 2014-12-06 04:59:55 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3599.yaml