Bug 1165328 (CVE-2014-7839)
Summary: | CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pavel Polischouk <pavelp> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, alazarot, alee, anemec, asantos, aszczucz, bbaranow, bdawidow, bkearney, bmaxwell, brms-jira, cbillett, cdewolf, chazlett, cpelland, dandread, darran.lofthouse, epp-bugs, etirelli, felias, fnasser, grocha, gvarsami, hchiorea, hfnukal, huwang, jason.greene, jawilson, jboss-set, jbpapp-maint, jcoleman, jdg-bugs, jolee, jpallich, juan.hernandez, katello-bugs, kconner, kejohnso, kkhan, kseifried, ldimaggi, lgao, lpetrovi, mbaluch, mgoldman, mmccune, mnovotny, mweiler, mwinkler, myarboro, nwallace, ohadlevy, pavelp, pgier, psakar, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, soa-p-jira, spinder, tcunning, theute, tjay, tkirby, tlestach, tomckay, ttarrant, twalsh, vhalbert, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | resteasy 3.0.11.Final, resteasy 2.3.10.Final | Doc Type: | Bug Fix |
Doc Text: |
It was found that the RESTEasy DocumentProvider did not set the external-parameter-entities and external-general-entities features appropriately, thus allowing external entity expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity (XXE) attacks.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-21 18:49:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1165330, 1165331, 1165332, 1165333, 1165334, 1165335, 1165337, 1165338, 1165339, 1165340, 1165341, 1165342, 1165343, 1165344, 1165345, 1192663, 1192664, 1192665, 1192666, 1192667, 1192668, 1192669 | ||
Bug Blocks: | 1155350, 1162778, 1196328, 1200191, 1206755, 1210482 |
Description
Pavel Polischouk
2014-11-18 20:18:26 UTC
Upstream Issues: https://issues.jboss.org/browse/RESTEASY-1130 Upstream fix commits: https://github.com/resteasy/Resteasy/pull/611 This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.3 Via RHSA-2015:0215 https://rhn.redhat.com/errata/RHSA-2015-0215.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 Via RHSA-2015:0217 https://rhn.redhat.com/errata/RHSA-2015-0217.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 5 Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-0216.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 7 Via RHSA-2015:0218 https://rhn.redhat.com/errata/RHSA-2015-0218.html This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html This issue has been addressed in the following products: Red Hat JBoss Data Grid 6.4 Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html Statement: Red Hat Web Framework Kit has moved out of maintenance phase and is no longer supported by Red Hat Product Security. This issue is not currently planned to be addressed in any future updates. For additional information, refer to the Red Hat JBoss Middleware Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ This issue has been addressed in the following products: JBoss Portal Platform 6.2.0 Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-1009.html (added via fix-cve-names) |