IssueDescription: It was found that RESTEasy DocumentProvider does not set the external-parameter-entities and external-general-entities features approppriately, thus allowing External Entity Expansion. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Upstream Issues: https://issues.jboss.org/browse/RESTEASY-1130
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/7839.yaml
Upstream fix commits: https://github.com/resteasy/Resteasy/pull/611
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.3 Via RHSA-2015:0215 https://rhn.redhat.com/errata/RHSA-2015-0215.html
This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 Via RHSA-2015:0217 https://rhn.redhat.com/errata/RHSA-2015-0217.html
This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 5 Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-0216.html
This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 7 Via RHSA-2015:0218 https://rhn.redhat.com/errata/RHSA-2015-0218.html
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: Red Hat JBoss Data Grid 6.4 Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html
This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
Statement: Red Hat Web Framework Kit has moved out of maintenance phase and is no longer supported by Red Hat Product Security. This issue is not currently planned to be addressed in any future updates. For additional information, refer to the Red Hat JBoss Middleware Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
This issue has been addressed in the following products: JBoss Portal Platform 6.2.0 Via RHSA-2015:0216 https://rhn.redhat.com/errata/RHSA-2015-1009.html (added via fix-cve-names)