IssueDescription: It was found that the default context parameters as provided to RESTEasy deployments by JBoss EAP did not explicitly disable external entity expansion for RESTEasy. A remote attacker could use this flaw to perform XML External Entity (XXE) attacks on RESTEasy applications accepting XML input.
Acknowledgements: This issue was discovered by the Red Hat JBoss Enterprise Application Platform QE team.
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.4 Via RHSA-2014:0797 https://rhn.redhat.com/errata/RHSA-2014-0797.html
This issue has been addressed in following products: JBEAP 6.2 for RHEL 5 Via RHSA-2014:0798 https://rhn.redhat.com/errata/RHSA-2014-0798.html
This issue has been addressed in following products: JBEAP 6.2 for RHEL 6 Via RHSA-2014:0799 https://rhn.redhat.com/errata/RHSA-2014-0799.html
Created wildfly tracking bugs for this issue: Affects: fedora-all [bug 1124642]
Upstream Issue: https://issues.jboss.org/browse/WFLY-3458
This issue has been addressed in following products: JBoss Data Grid 6.3.0 Via RHSA-2014:0895 https://rhn.redhat.com/errata/RHSA-2014-0895.html
https://github.com/jbossas/jboss-eap/pull/1894
This issue has been addressed in the following products: JBoss Operations Network 3.3.0 Via RHSA-2014:1904 https://rhn.redhat.com/errata/RHSA-2014-1904.html
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html