Apache CXF JAX-RS implementation provides a number of Atom MessageBodyReaders. These readers use Apache Abdera Parser to parse Atom feeds or Entries, with this Parser expanding XML entities by default. This represents a major XXE risk. External References: http://cxf.apache.org/security-advisories.data/CVE-2016-8739.txt.asc?version=1&modificationDate=1482164360575&api=v2
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1406813]
JBoss EAP 6 and 7 implement JAX-RS using Resteasy, not CXF. Therefore the vulnerable AbstractAtomProvider class is not part of either distribution. Setting EAP 6 and 7 layered productgs as not affected.
This issue has been addressed in the following products: Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868