Bug 1165328 (CVE-2014-7839)

Summary: CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider
Product: [Other] Security Response Reporter: Pavel Polischouk <pavelp>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, alee, anemec, asantos, aszczucz, bbaranow, bdawidow, bkearney, bmaxwell, brms-jira, cbillett, cdewolf, chazlett, cpelland, dandread, darran.lofthouse, epp-bugs, etirelli, felias, fnasser, grocha, gvarsami, hchiorea, hfnukal, huwang, jason.greene, jawilson, jboss-set, jbpapp-maint, jcoleman, jdg-bugs, jolee, jpallich, juan.hernandez, katello-bugs, kconner, kejohnso, kkhan, kseifried, ldimaggi, lgao, lpetrovi, mbaluch, mgoldman, mmccune, mnovotny, mweiler, mwinkler, myarboro, nwallace, ohadlevy, pavelp, pgier, psakar, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, soa-p-jira, spinder, tcunning, theute, tjay, tkirby, tlestach, tomckay, ttarrant, twalsh, vhalbert, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: resteasy 3.0.11.Final, resteasy 2.3.10.Final Doc Type: Bug Fix
Doc Text:
It was found that the RESTEasy DocumentProvider did not set the external-parameter-entities and external-general-entities features appropriately, thus allowing external entity expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity (XXE) attacks.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-21 18:49:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1165330, 1165331, 1165332, 1165333, 1165334, 1165335, 1165337, 1165338, 1165339, 1165340, 1165341, 1165342, 1165343, 1165344, 1165345, 1192663, 1192664, 1192665, 1192666, 1192667, 1192668, 1192669    
Bug Blocks: 1155350, 1162778, 1196328, 1200191, 1206755, 1210482    

Description Pavel Polischouk 2014-11-18 20:18:26 UTC
IssueDescription:

It was found that RESTEasy DocumentProvider does not set the external-parameter-entities and external-general-entities features approppriately, thus allowing External Entity Expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 2 Arun Babu Neelicattu 2014-11-19 01:19:07 UTC
Upstream Issues:

https://issues.jboss.org/browse/RESTEASY-1130

Comment 3 Arun Babu Neelicattu 2014-11-19 05:39:20 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/7839.yaml

Comment 4 Arun Babu Neelicattu 2014-11-28 02:34:57 UTC
Upstream fix commits:

https://github.com/resteasy/Resteasy/pull/611

Comment 6 errata-xmlrpc 2015-02-11 20:07:00 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.3.3

Via RHSA-2015:0215 https://rhn.redhat.com/errata/RHSA-2015-0215.html

Comment 7 errata-xmlrpc 2015-02-11 20:26:40 UTC
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 6

Via RHSA-2015:0217 https://rhn.redhat.com/errata/RHSA-2015-0217.html

Comment 8 errata-xmlrpc 2015-02-11 20:30:47 UTC
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 5

Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-0216.html

Comment 9 errata-xmlrpc 2015-02-11 21:14:49 UTC
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 7

Via RHSA-2015:0218 https://rhn.redhat.com/errata/RHSA-2015-0218.html

Comment 11 errata-xmlrpc 2015-03-11 16:55:36 UTC
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 12 errata-xmlrpc 2015-04-01 14:48:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Grid 6.4

Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html

Comment 16 errata-xmlrpc 2015-04-16 16:07:53 UTC
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html

Comment 17 errata-xmlrpc 2015-04-16 16:10:46 UTC
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html

Comment 18 Chess Hazlett 2015-09-02 22:05:41 UTC
Statement:

Red Hat Web Framework Kit has moved out of maintenance phase and is no longer supported by Red Hat Product Security. This issue is not currently planned to be addressed in any future updates. For additional information, refer to the Red Hat JBoss Middleware Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

Comment 19 Chess Hazlett 2016-11-21 18:49:32 UTC
This issue has been addressed in the following products:

  JBoss Portal Platform 6.2.0

Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-1009.html
(added via fix-cve-names)