IssueDescription: It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Acknowledgements: Red Hat would like to thank Georgi Geshev of MWR Labs for reporting this issue.
Mitigation: When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints: <context-param> <param-name>resteasy.document.expand.entity.references</param-name> <param-value>false</param-value> </context-param> Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
Upstream Issue: https://issues.jboss.org/browse/HORNETQ-1390
Statement: Not Vulnerable. HornetQ REST is not provided by any Red Hat product.
Upstream Fix: https://github.com/hornetq/hornetq/commit/b3a63576371828d5f8e64ba7ccbcecb1da8111d2
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3599.yaml