Bug 1130383 (CVE-2014-3599) - CVE-2014-3599 HornetQ REST: XXE due to insecure configuration of RestEasy
Summary: CVE-2014-3599 HornetQ REST: XXE due to insecure configuration of RestEasy
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-3599
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20141118,repor...
Depends On:
Blocks: 1135934
TreeView+ depends on / blocked
 
Reported: 2014-08-15 05:35 UTC by Arun Babu Neelicattu
Modified: 2019-06-08 20:09 UTC (History)
3 users (show)

Fixed In Version: hornetq-rest 2.5.0.Beta1
Doc Type: Bug Fix
Doc Text:
It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Clone Of:
Environment:
Last Closed: 2014-12-06 05:00:29 UTC


Attachments (Terms of Use)

Description Arun Babu Neelicattu 2014-08-15 05:35:45 UTC
IssueDescription:

It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 1 Arun Babu Neelicattu 2014-08-15 05:38:08 UTC
Acknowledgements:

Red Hat would like to thank Georgi Geshev of MWR Labs for reporting this issue.

Comment 2 Arun Babu Neelicattu 2014-08-15 05:40:46 UTC
Mitigation:

When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints:

<context-param>
        <param-name>resteasy.document.expand.entity.references</param-name>
        <param-value>false</param-value>
</context-param>

Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.

Comment 3 Arun Babu Neelicattu 2014-08-15 08:53:48 UTC
Upstream Issue:

https://issues.jboss.org/browse/HORNETQ-1390

Comment 4 Arun Babu Neelicattu 2014-08-15 09:22:55 UTC
Statement:

Not Vulnerable. HornetQ REST is not provided by any Red Hat product.

Comment 5 Arun Babu Neelicattu 2014-09-29 13:25:21 UTC
Upstream Fix:

https://github.com/hornetq/hornetq/commit/b3a63576371828d5f8e64ba7ccbcecb1da8111d2

Comment 6 Arun Babu Neelicattu 2014-12-06 04:59:55 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3599.yaml


Note You need to log in before you can comment on or make changes to this bug.