Bug 1130383 (CVE-2014-3599)

Summary: CVE-2014-3599 HornetQ REST: XXE due to insecure configuration of RestEasy
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: georgi.geshev, grocha, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: hornetq-rest 2.5.0.Beta1 Doc Type: Bug Fix
Doc Text:
It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-06 05:00:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 1135934    

Description Arun Babu Neelicattu 2014-08-15 05:35:45 UTC
IssueDescription:

It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 1 Arun Babu Neelicattu 2014-08-15 05:38:08 UTC
Acknowledgements:

Red Hat would like to thank Georgi Geshev of MWR Labs for reporting this issue.

Comment 2 Arun Babu Neelicattu 2014-08-15 05:40:46 UTC
Mitigation:

When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints:

<context-param>
        <param-name>resteasy.document.expand.entity.references</param-name>
        <param-value>false</param-value>
</context-param>

Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.

Comment 3 Arun Babu Neelicattu 2014-08-15 08:53:48 UTC
Upstream Issue:

https://issues.jboss.org/browse/HORNETQ-1390

Comment 4 Arun Babu Neelicattu 2014-08-15 09:22:55 UTC
Statement:

Not Vulnerable. HornetQ REST is not provided by any Red Hat product.

Comment 5 Arun Babu Neelicattu 2014-09-29 13:25:21 UTC
Upstream Fix:

https://github.com/hornetq/hornetq/commit/b3a63576371828d5f8e64ba7ccbcecb1da8111d2

Comment 6 Arun Babu Neelicattu 2014-12-06 04:59:55 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3599.yaml