{ "threat_severity" : "Moderate", "public_date" : "2014-07-23T00:00:00Z", "bugzilla" : { "description" : "RESTEasy: XXE via parameter entities", "id" : "1107901", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1107901" }, "cvss" : { "cvss_base_score" : "5.0", "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:P/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-611", "details" : [ "RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.", "It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks." ], "acknowledgement" : "This issue was discovered by David Jorm (Red Hat Product Security).", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2014-08-06T00:00:00Z", "advisory" : "RHSA-2014:1011", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "resteasy-base-0:2.3.5-3.el7_0" }, { "product_name" : "Red Hat JBoss BPMS 6.0", "release_date" : "2015-02-17T00:00:00Z", "advisory" : "RHSA-2015:0234", "cpe" : "cpe:/a:redhat:jboss_bpms:6.0", "package" : "resteasy" }, { "product_name" : "Red Hat JBoss BRMS 6.0", "release_date" : "2015-02-17T00:00:00Z", "advisory" : "RHSA-2015:0235", "cpe" : "cpe:/a:redhat:jboss_brms:6.0", "package" : "resteasy" }, { "product_name" : "Red Hat JBoss Data Grid 6.3", "release_date" : "2014-09-24T00:00:00Z", "advisory" : "RHSA-2014:1298", "cpe" : "cpe:/a:redhat:jboss_data_grid:6.3.1" }, { "product_name" : "Red Hat JBoss Data Virtualization 6.0", "release_date" : "2015-03-31T00:00:00Z", "advisory" : "RHSA-2015:0765", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.0", "package" : "resteasy" }, { "product_name" : "Red Hat JBoss Data Virtualization 6.1", "release_date" : "2015-03-11T00:00:00Z", "advisory" : "RHSA-2015:0675", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6.1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.3", "release_date" : "2014-08-11T00:00:00Z", "advisory" : "RHSA-2014:1039", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6.3", "package" : "resteasy" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5", "release_date" : "2014-08-11T00:00:00Z", "advisory" : "RHSA-2014:1040", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el5", "package" : "resteasy-0:2.3.8-5.SP1_redhat_1.1.ep6.el5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 6", "release_date" : "2014-08-11T00:00:00Z", "advisory" : "RHSA-2014:1040", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6", "package" : "resteasy-0:2.3.8-5.SP1_redhat_1.1.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7", "release_date" : "2014-08-11T00:00:00Z", "advisory" : "RHSA-2014:1040", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7", "package" : "resteasy-0:2.3.8-5.SP1_redhat_1.1.ep6.el7" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6.0", "release_date" : "2015-03-24T00:00:00Z", "advisory" : "RHSA-2015:0720", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6.0", "package" : "resteasy" }, { "product_name" : "Red Hat JBoss Operations Network 3.3", "release_date" : "2014-11-25T00:00:00Z", "advisory" : "RHSA-2014:1904", "cpe" : "cpe:/a:redhat:jboss_operations_network:3.3", "package" : "resteasy" }, { "product_name" : "Red Hat JBoss Portal 6.2", "release_date" : "2015-05-14T00:00:00Z", "advisory" : "RHSA-2015:1009", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6.2", "package" : "resteasy" }, { "product_name" : "Red Hat JBoss Web Framework Kit 2.7", "release_date" : "2015-02-04T00:00:00Z", "advisory" : "RHSA-2015:0125", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_framework:2.7.0", "package" : "resteasy" } ], "package_state" : [ { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Affected", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Portal 5", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Will not fix", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Fix deferred", "package_name" : "resteasy", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Subscription Asset Manager", "fix_state" : "Not affected", "package_name" : "candlepin", "cpe" : "cpe:/a:rhel_sam:1" }, { "product_name" : "Red Hat Subscription Asset Manager", "fix_state" : "Affected", "package_name" : "resteasy", "cpe" : "cpe:/a:rhel_sam:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-3490\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3490" ], "name" : "CVE-2014-3490", "csaw" : false }