Bug 1498760 (CVE-2017-14868)

Summary: CVE-2017-14868 restlet: XML external entity injection
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, chazlett, gvarsami, jcoleman, kconner, ldimaggi, nwallace, pavelp, rwagner, tcunning, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: org.restlet.ext.jaxrs 2.3.11; org.restlet.lib.org.simpleframework.simple-xml 2.7.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-27 21:22:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1498762    

Description Andrej Nemec 2017-10-05 07:52:44 UTC
This vulnerability affects the SimpleXMLProvider in Restlet. The affected code allows a remote attacker to potentially access arbitrary files on the system by sending a request with maliciously crafted XML data to a REST API built with Restlet. If you use a combination of both Restlet and Simple XML then your application is very likely affected.

External References:

https://lgtm.com/blog/restlet_CVE-2017-14868

Upstream issue:

https://github.com/restlet/restlet-framework-java/issues/1286

Upstream patch:

https://github.com/restlet/restlet-framework-java/commit/7c2636718c284598da0eed0839ef69bfccf48071