Bug 1165328 (CVE-2014-7839) - CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider
Summary: CVE-2014-7839 RESTeasy: External entities expanded by DocumentProvider
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-7839
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1165330 1165331 1165332 1165333 1165334 1165335 1165337 1165338 1165339 1165340 1165341 1165342 1165343 1165344 1165345 1192663 1192664 1192665 1192666 1192667 1192668 1192669
Blocks: 1155350 1162778 1196328 1200191 1206755 1210482
TreeView+ depends on / blocked
 
Reported: 2014-11-18 20:18 UTC by Pavel Polischouk
Modified: 2021-02-17 05:59 UTC (History)
74 users (show)

Fixed In Version: resteasy 3.0.11.Final, resteasy 2.3.10.Final
Doc Type: Bug Fix
Doc Text:
It was found that the RESTEasy DocumentProvider did not set the external-parameter-entities and external-general-entities features appropriately, thus allowing external entity expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity (XXE) attacks.
Clone Of:
Environment:
Last Closed: 2016-11-21 18:49:32 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0215 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.3.3 update 2015-02-12 01:06:34 UTC
Red Hat Product Errata RHSA-2015:0216 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.3.3 update 2015-02-12 01:18:36 UTC
Red Hat Product Errata RHSA-2015:0217 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.3.3 update 2015-02-12 01:16:58 UTC
Red Hat Product Errata RHSA-2015:0218 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.3.3 update 2015-02-12 01:36:41 UTC
Red Hat Product Errata RHSA-2015:0675 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0773 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Grid 6.4.1 update 2015-04-01 18:48:20 UTC
Red Hat Product Errata RHSA-2015:0850 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.1.0 update 2015-04-16 20:02:45 UTC
Red Hat Product Errata RHSA-2015:0851 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.1.0 update 2015-04-16 20:02:37 UTC

Description Pavel Polischouk 2014-11-18 20:18:26 UTC 
IssueDescription:

It was found that RESTEasy DocumentProvider does not set the external-parameter-entities and external-general-entities features approppriately, thus allowing External Entity Expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Comment 2 Arun Babu Neelicattu 2014-11-19 01:19:07 UTC 
Upstream Issues:

https://issues.jboss.org/browse/RESTEASY-1130
Comment 3 Arun Babu Neelicattu 2014-11-19 05:39:20 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/7839.yaml
Comment 4 Arun Babu Neelicattu 2014-11-28 02:34:57 UTC 
Upstream fix commits:

https://github.com/resteasy/Resteasy/pull/611
Comment 6 errata-xmlrpc 2015-02-11 20:07:00 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.3.3

Via RHSA-2015:0215 https://rhn.redhat.com/errata/RHSA-2015-0215.html
Comment 7 errata-xmlrpc 2015-02-11 20:26:40 UTC 
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 6

Via RHSA-2015:0217 https://rhn.redhat.com/errata/RHSA-2015-0217.html
Comment 8 errata-xmlrpc 2015-02-11 20:30:47 UTC 
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 5

Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-0216.html
Comment 9 errata-xmlrpc 2015-02-11 21:14:49 UTC 
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 7

Via RHSA-2015:0218 https://rhn.redhat.com/errata/RHSA-2015-0218.html
Comment 11 errata-xmlrpc 2015-03-11 16:55:36 UTC 
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
Comment 12 errata-xmlrpc 2015-04-01 14:48:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Grid 6.4

Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html
Comment 16 errata-xmlrpc 2015-04-16 16:07:53 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
Comment 17 errata-xmlrpc 2015-04-16 16:10:46 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
Comment 18 Chess Hazlett 2015-09-02 22:05:41 UTC 
Statement:

Red Hat Web Framework Kit has moved out of maintenance phase and is no longer supported by Red Hat Product Security. This issue is not currently planned to be addressed in any future updates. For additional information, refer to the Red Hat JBoss Middleware Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 19 Chess Hazlett 2016-11-21 18:49:32 UTC 
This issue has been addressed in the following products:

  JBoss Portal Platform 6.2.0

Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-1009.html
(added via fix-cve-names)
Note You need to log in before you can comment on or make changes to this bug.