IssueDescription: It was found that Teiid SQL/XML permitted XML eXternal Entity (XXE) attacks. If a REST endpoint was deployed, a remote attacker could submit a request containing an external XML entity that, when resolved, allowed that attacker to read files on the application server in the context of the user running that server.
Steven Hawkins <shawkins> updated the status of jira TEIID-2911 to Resolved
David Jorm <djorm> updated the status of jira TEIID-2911 to Reopened
David Jorm <djorm> updated the status of jira TEIID-2911 to Resolved
Johnathon Lee <jolee> updated the status of jira TEIID-2911 to Reopened
Johnathon Lee <jolee> updated the status of jira TEIID-2911 to Closed
Acknowledgements: This issue was discovered by David Jorm of Red Hat Product Security.
This issue has been addressed in the following products: JBoss Data Virtualization 6.0.0 Via RHSA-2014:1284 https://rhn.redhat.com/errata/RHSA-2014-1284.html