When parsing XML which does entity expansion the SAXParserFactory used in EAP 7.0.5 expands external entities, even when XMLConstants.FEATURE_SECURE_PROCESSING is set to true. SAXParserFactory parserFactory = SAXParserFactory.newInstance(); parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Acknowledgments: Name: Jason Shepherd (Red Hat)
Mitigation: Enable the security features of the DocumentBuilderFactory or SaxParserFactory as described by OWASP: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J
I found a workaround for this issue, which was to set: parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); I think we should close this one as WONTFIX. But perhaps we can raise a new issues to get the secure options set by default from EAP 7.1?
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-7464