{
  "threat_severity" : "Moderate",
  "public_date" : "2014-05-28T00:00:00Z",
  "bugzilla" : {
    "description" : "Framework: Information disclosure via SSRF",
    "id" : "1110110",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1110110"
  },
  "cvss" : {
    "cvss_base_score" : "5.0",
    "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-611",
  "details" : [ "When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.", "It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers." ],
  "statement" : "Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support\nand maintenance life cycle. This has been rated as having Moderate security\nimpact and is not currently planned to be addressed in future updates. For\nadditional information, refer to the Red Hat OpenShift Enterprise Life Cycle:\nhttps://access.redhat.com/site/support/policy/updates/openshift.",
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss A-MQ 6.1",
    "release_date" : "2014-10-01T00:00:00Z",
    "advisory" : "RHSA-2014:1351",
    "cpe" : "cpe:/a:redhat:jboss_amq:6.1.0"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6.1",
    "release_date" : "2014-10-01T00:00:00Z",
    "advisory" : "RHSA-2014:1351",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6.1.0"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Enterprise 1",
    "fix_state" : "Will not fix",
    "package_name" : "activemq",
    "cpe" : "cpe:/a:redhat:openshift:1"
  }, {
    "product_name" : "Red Hat BPM Suite 6",
    "fix_state" : "Not affected",
    "package_name" : "spring",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform"
  }, {
    "product_name" : "Red Hat Enterprise Virtualization 3",
    "fix_state" : "Affected",
    "package_name" : "jasperreports-server-pro",
    "cpe" : "cpe:/a:redhat:enterprise_linux:7::hypervisor"
  }, {
    "product_name" : "Red Hat JBoss BRMS 6",
    "fix_state" : "Not affected",
    "package_name" : "spring",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Will not fix",
    "package_name" : "spring",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Not affected",
    "package_name" : "spring",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Portal 5",
    "fix_state" : "Will not fix",
    "package_name" : "spring",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5"
  }, {
    "product_name" : "Red Hat JBoss SOA Platform 5",
    "fix_state" : "Will not fix",
    "package_name" : "spring",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5"
  }, {
    "product_name" : "Red Hat OpenShift Enterprise 2",
    "fix_state" : "Will not fix",
    "package_name" : "activemq",
    "cpe" : "cpe:/a:redhat:openshift:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-0225\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0225" ],
  "name" : "CVE-2014-0225",
  "csaw" : false
}