RESTEasy permits XXE (XML eXternal Entity) attacks. If a RESTEasy endpoint is deployed, a user can submit a request containing an external XML entity. This XML entity will be resolved, allowing a remote attacker to read files in the context of the user running the application server. This flaw affects DOM Document, JAXB and Fast Infoset (FI) input. Upstream bugs: https://issues.jboss.org/browse/RESTEASY-637 https://issues.jboss.org/browse/RESTEASY-647 https://issues.jboss.org/browse/RESTEASY-659
EAP 5.1.2 issue: https://issues.jboss.org/browse/JBPAPP-8054 EWP 5.1.2 issue: https://issues.jboss.org/browse/JBPAPP-8055
This issue has been addressed in following products: RHEV Manager version 3.x Via RHSA-2012:0421 https://rhn.redhat.com/errata/RHSA-2012-0421.html
Back port to BRMS 5.3.0 release branch.
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.2.0 Via RHSA-2012:0441 https://rhn.redhat.com/errata/RHSA-2012-0441.html
This issue has been addressed in following products: JBoss Enterprise Portal Platform 5.2.1 Via RHSA-2012:0519 https://rhn.redhat.com/errata/RHSA-2012-0519.html
The fix for CVE-2012-0818 is not enabled by default. After installing the relevant updates, if applications on your server expose RESTEasy XML endpoints, add the following snippet to their web.xml file to disable entity expansion in RESTEasy: <context-param> <param-name>resteasy.document.expand.entity.references</param-name> <param-value>false</param-value> </context-param> Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2012:1059 https://rhn.redhat.com/errata/RHSA-2012-1059.html
This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2012:1058 https://rhn.redhat.com/errata/RHSA-2012-1058.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.1.2 Via RHSA-2012:1057 https://rhn.redhat.com/errata/RHSA-2012-1057.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2012:1056 https://rhn.redhat.com/errata/RHSA-2012-1056.html
This issue has been addressed in following products: JBoss Enterprise SOA Platform 5.3.0 Via RHSA-2012:1125 https://rhn.redhat.com/errata/RHSA-2012-1125.html
This was also assigned CVE-2011-5245: The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.
This issue has been addressed in following products: Red Hat Storage Console 2.1 Via RHSA-2013:1263 https://rhn.redhat.com/errata/RHSA-2013-1263.html
This issue has been addressed in following products: Red Hat JBoss BPM Suite 6.0.1 Via RHSA-2014:0371 https://rhn.redhat.com/errata/RHSA-2014-0371.html
This issue has been addressed in following products: Red Hat JBoss BRMS 6.0.1 Via RHSA-2014:0372 https://rhn.redhat.com/errata/RHSA-2014-0372.html