An XML external entity processing vulnerability was found in extractXmlConfigFromInputStream function in c3p0. Upstream patch: https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
Created c3p0 tracking bugs for this issue: Affects: epel-7 [bug 1664731] Affects: fedora-all [bug 1664730]
Statement: Red Hat Satellite 6 is not vulnerable to this issue, because the candlepin component who uses the c3p0 jar never passes a XML configuration file to c3p0, even though it includes a vulnerable version of the latter. Since this issue requires a XML files to be loaded by c3p0, an exploitation path doesn't exist.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss BPM Suite 6 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss BRMS 5 * Red Hat JBoss SOA Platform 5 * Red Hat JBoss Fuse 6 * Red Hat JBoss Web Server 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
RHDM and RHPAM both include c3p0 jar inside kie-server war which seems to be affected : jboss-eap7.2/standalone/deployments/kie-server.war/WEB-INF/lib/c3p0-0.9.1.1.jar