Bug 1165328 – CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1165328 - (CVE-2014-7839) CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider

Summary:	CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider

Status:	CLOSED ERRATA

Aliases:	CVE-2014-7839

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20141118,repor...
Keywords:	Security

Depends On:	1165330 1165331 1165332 1165333 1165334 1165335 1165337 1165338 1165339 1165340 1165341 1165342 1165343 1165344 1165345 1192663 1192664 1192665 1192666 1192667 1192668 1192669
Blocks:	1155350 1162778 1196328 1200191 1206755 1210482
	Show dependency tree / graph

Reported:	2014-11-18 15:18 EST by Pavel Polischouk
Modified:	2016-11-21 13:49 EST (History)
CC List:	74 users (show)

See Also:
Fixed In Version:	resteasy 3.0.11.Final, resteasy 2.3.10.Final
Doc Type:	Bug Fix
Doc Text:	It was found that the RESTEasy DocumentProvider did not set the external-parameter-entities and external-general-entities features appropriately, thus allowing external entity expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity (XXE) attacks.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-11-21 13:49:32 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0215	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform 6.3.3 update	2015-02-11 20:06:34 EST
Red Hat Product Errata	RHSA-2015:0216	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform 6.3.3 update	2015-02-11 20:18:36 EST
Red Hat Product Errata	RHSA-2015:0217	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform 6.3.3 update	2015-02-11 20:16:58 EST
Red Hat Product Errata	RHSA-2015:0218	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Enterprise Application Platform 6.3.3 update	2015-02-11 20:36:41 EST
Red Hat Product Errata	RHSA-2015:0675	normal	SHIPPED_LIVE	Important: Red Hat JBoss Data Virtualization 6.1.0 update	2015-03-11 16:51:21 EDT
Red Hat Product Errata	RHSA-2015:0773	normal	SHIPPED_LIVE	Important: Red Hat JBoss Data Grid 6.4.1 update	2015-04-01 14:48:20 EDT
Red Hat Product Errata	RHSA-2015:0850	normal	SHIPPED_LIVE	Important: Red Hat JBoss BRMS 6.1.0 update	2015-04-16 16:02:45 EDT
Red Hat Product Errata	RHSA-2015:0851	normal	SHIPPED_LIVE	Important: Red Hat JBoss BPM Suite 6.1.0 update	2015-04-16 16:02:37 EDT

Groups: None (edit)

Description Pavel Polischouk 2014-11-18 15:18:26 EST

IssueDescription:

It was found that RESTEasy DocumentProvider does not set the external-parameter-entities and external-general-entities features approppriately, thus allowing External Entity Expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 2 Arun Babu Neelicattu 2014-11-18 20:19:07 EST

Upstream Issues:

https://issues.jboss.org/browse/RESTEASY-1130

Comment 3 Arun Babu Neelicattu 2014-11-19 00:39:20 EST

Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/7839.yaml

Comment 4 Arun Babu Neelicattu 2014-11-27 21:34:57 EST

Upstream fix commits:

https://github.com/resteasy/Resteasy/pull/611

Comment 6 errata-xmlrpc 2015-02-11 15:07:00 EST

This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.3.3

Via RHSA-2015:0215 https://rhn.redhat.com/errata/RHSA-2015-0215.html

Comment 7 errata-xmlrpc 2015-02-11 15:26:40 EST

This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 6

Via RHSA-2015:0217 https://rhn.redhat.com/errata/RHSA-2015-0217.html

Comment 8 errata-xmlrpc 2015-02-11 15:30:47 EST

This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 5

Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-0216.html

Comment 9 errata-xmlrpc 2015-02-11 16:14:49 EST

This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 7

Via RHSA-2015:0218 https://rhn.redhat.com/errata/RHSA-2015-0218.html

Comment 11 errata-xmlrpc 2015-03-11 12:55:36 EDT

This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 12 errata-xmlrpc 2015-04-01 10:48:55 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Data Grid 6.4

Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html

Comment 16 errata-xmlrpc 2015-04-16 12:07:53 EDT

This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html

Comment 17 errata-xmlrpc 2015-04-16 12:10:46 EDT

This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html

Comment 18 Chess Hazlett 2015-09-02 18:05:41 EDT

Statement:

Red Hat Web Framework Kit has moved out of maintenance phase and is no longer supported by Red Hat Product Security. This issue is not currently planned to be addressed in any future updates. For additional information, refer to the Red Hat JBoss Middleware Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

Comment 19 Chess Hazlett 2016-11-21 13:49:32 EST

This issue has been addressed in the following products:

  JBoss Portal Platform 6.2.0

Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-1009.html
(added via fix-cve-names)

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
alee
anemec
asantos
aszczucz
bbaranow
bdawidow
bkearney
bmaxwell
brms-jira
cbillett
cdewolf
chazlett
cpelland
dandread
darran.lofthouse
epp-bugs
etirelli
felias
fnasser
grocha
gvarsami
hchiorea
hfnukal
huwang
jason.greene
jawilson
jboss-set
jbpapp-maint
jcoleman
jdg-bugs
jolee
jpallich
juan.hernandez
katello-bugs
kconner
kejohnso
kkhan
kseifried
ldimaggi
lgao
lpetrovi
mbaluch
mgoldman
mmccune
mnovotny
mweiler
mwinkler
myarboro
nwallace
ohadlevy
pavelp
pgier
psakar
pslavice
rhq-maint
rrajasek
rsvoboda
rwagner
rzhang
soa-p-jira
spinder
tcunning
theute
tjay
tkirby
tlestach
tomckay
ttarrant
twalsh
vhalbert
vtunka
weli