It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing a XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. Upstream patch: https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36 External References: https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc
This issue has been addressed in the following products: JBoss Fuse/A-MQ 6.1.0 Via RHSA-2015:1041 https://rhn.redhat.com/errata/RHSA-2015-1041.html
This issue has been addressed in the following products: JBoss BPM Suite 6.1.2 Via RHSA-2015:1539 https://rhn.redhat.com/errata/RHSA-2015-1539.html
This issue has been addressed in the following products: JBoss BRMS 6.1.2 Via RHSA-2015:1538 https://rhn.redhat.com/errata/RHSA-2015-1538.html
This issue has been addressed in the following products: JBoss Fuse Service Works 6.2.1 Via RHSA-2015:2558 https://rhn.redhat.com/errata/RHSA-2015-2558.html