It was found that the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method implementation provided a DocumentBuilderFactory that will expand entity references. This could be used by a remote, unauthenticated attacker to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Upstream Bug: [jira PLINK-509]
Statement: This flaw could allow remote, unauthenticated attackers to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. All systems hosting PicketLink applications using SAML Identity Providers and Service Providers may be affected. It is strongly advised that anyone running an affected system applies patches to address this flaw.
IssueDescription: It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
This issue has been addressed in following products: JBEAP 6.2 for RHEL 6 JBEAP 6.2 for RHEL 5 Via RHSA-2014:0883 https://rhn.redhat.com/errata/RHSA-2014-0883.html
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2014:0885 https://rhn.redhat.com/errata/RHSA-2014-0885.html
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.2.4 Via RHSA-2014:0884 https://rhn.redhat.com/errata/RHSA-2014-0884.html
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 5.2.0 Via RHSA-2014:0886 https://rhn.redhat.com/errata/RHSA-2014-0886.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2014:0898 https://rhn.redhat.com/errata/RHSA-2014-0898.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2014:0897 https://rhn.redhat.com/errata/RHSA-2014-0897.html
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3530.yaml
This issue has been addressed in following products: JBoss Operations Network 3.2.2 Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html
This issue has been addressed in the following products: JBoss Data Grid 6.4.0 Via RHSA-2015:0091 https://rhn.redhat.com/errata/RHSA-2015-0091.html
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
This issue has been addressed in the following products: Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html