IssueDescription: It was found that Odata4j permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.
Acknowledgements: This issue was discovered by David Jorm of Red Hat Product Security.
Fixed in https://issues.jboss.org/secure/attachment/12381735/org.odata4j.stax2.staximpl.StaxXMLFactoryProvider2.diff or a later attachment in https://issues.jboss.org/browse/TEIID-2911
This issue has been addressed in the following products: JBoss Data Virtualization 6.0.0 Via RHSA-2015:0034 https://rhn.redhat.com/errata/RHSA-2015-0034.html