Issued:
2014-08-06
Updated:
2014-08-06

RHSA-2014:1011 - Moderate: resteasy-base security update

Synopsis

Moderate: resteasy-base security update

Type/Severity

Security Advisory Moderate

Topic

Updated resteasy-base packages that fix one security issue are now available for Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Description

RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification.

It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490)

This issue was discovered by David Jorm of Red Hat Product Security.

All resteasy-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions7.7x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions7.6x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions7.4x86_64
Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions7.3x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support7.7x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support7.6x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support7.5x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support7.4x86_64
Red Hat Enterprise Linux for x86_64 - Extended Update Support7.3x86_64
Red Hat Enterprise Linux for Scientific Computing7x86_64
Red Hat Enterprise Linux Workstation7x86_64
Red Hat Enterprise Linux Server7x86_64
Red Hat Enterprise Linux Server from RHUI7x86_64
Red Hat Enterprise Linux Server - TUS7.7x86_64
Red Hat Enterprise Linux Server - TUS7.6x86_64
Red Hat Enterprise Linux Server - TUS7.3x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support7x86_64
Red Hat Enterprise Linux Server - AUS7.7x86_64
Red Hat Enterprise Linux Server - AUS7.6x86_64
Red Hat Enterprise Linux Server - AUS7.4x86_64
Red Hat Enterprise Linux Server - AUS7.3x86_64
Red Hat Enterprise Linux EUS Compute Node7.7x86_64
Red Hat Enterprise Linux EUS Compute Node7.6x86_64
Red Hat Enterprise Linux EUS Compute Node7.5x86_64
Red Hat Enterprise Linux EUS Compute Node7.4x86_64
Red Hat Enterprise Linux EUS Compute Node7.3x86_64
Red Hat Enterprise Linux Desktop7x86_64

Updated Packages

  • resteasy-base-atom-provider-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-jaxb-provider-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-jackson-provider-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-providers-pom-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-jettison-provider-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-2.3.5-3.el7_0.src.rpm
  • resteasy-base-tjws-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-jaxrs-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-jaxrs-api-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-jaxrs-all-2.3.5-3.el7_0.noarch.rpm
  • resteasy-base-javadoc-2.3.5-3.el7_0.noarch.rpm

Fixes

CVEs

References

Additional information