Restlet applications which use ObjectRepresentation to map HTTP request data directly to an object will deserialize arbitrary user-provided XML using XMLDecoder. XMLDecoder will deserialize an attacker-provided definition of a class and execute its methods. A remote attacker could use this flaw to perform remote code execution in the context of the server running the Restlet application.
Upstream Bug: https://github.com/restlet/restlet-framework-java/issues/774 External References: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html http://restlet.org/learn/2.1/changes
*** This bug has been marked as a duplicate of bug 1011726 ***
erroneously marked as duplicate.
This flaw is resolved in restlet 2.1.4, by disabling the vulnerable use cases.
This issue has been addressed in following products: Red Hat JBoss Fuse 6.0.0 Via RHSA-2013:1410 https://rhn.redhat.com/errata/RHSA-2013-1410.html
This issue has been addressed in following products: Fuse ESB Enterprise 7.1.0 Via RHSA-2013:1862 https://rhn.redhat.com/errata/RHSA-2013-1862.html