It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Red Hat would like to thank Georgi Geshev of MWR Labs for reporting this issue.
When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints:
Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
Not Vulnerable. HornetQ REST is not provided by any Red Hat product.