An XXE flaw was found in the jBPM runtime while executing BPMN2 files. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Acknowledgements: This issue was discovered by Jeremy Lindop of Red Hat.
fixed in drools and jbpm runtime side: drools master: https://github.com/droolsjbpm/drools/commit/c48464c3b246e6ef0d4cd0dbf67e83ccd532c6d3 6.2.x: https://github.com/droolsjbpm/drools/commit/5b850e8c121be994dbbc5ecba3de4e7355ac4331 jbpm master: https://github.com/droolsjbpm/jbpm/commit/713e8073ecf45623cfc5c918c5cbf700203f46e5 6.2.x: https://github.com/droolsjbpm/jbpm/commit/4d0dc877bc182cb8cc8b07bc95e9946d9aeb028e
Statement: Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html