Vulnerabilities > CVE-2014-3490 - Information Disclosure vulnerability in RESTEasy Incomplete Fix XML Entity References
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818. <a href="http://cwe.mitre.org/data/definitions/611.html" rel="nofollow">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2014-16845.NASL description Security fix for CVE-2014-3490 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-04-27 plugin id 83066 published 2015-04-27 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83066 title Fedora 20 : resteasy-3.0.6-3.fc20 (2014-16845) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1011.NASL description Updated resteasy-base packages that fix one security issue are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) This issue was discovered by David Jorm of Red Hat Product Security. All resteasy-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 77014 published 2014-08-06 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77014 title RHEL 7 : resteasy-base (RHSA-2014:1011) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-1040.NASL description Updated Red Hat JBoss Enterprise Application Platform 6.3.0 packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) This issue was discovered by David Jorm of Red Hat Product Security. All users of Red Hat JBoss Enterprise Application Platform 6.3.0 on Red Hat Enterprise Linux 5, 6, and 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 77178 published 2014-08-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77178 title RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2014:1040) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-1011.NASL description From Red Hat Security Advisory 2014:1011 : Updated resteasy-base packages that fix one security issue are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) This issue was discovered by David Jorm of Red Hat Product Security. All resteasy-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 77011 published 2014-08-06 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77011 title Oracle Linux 7 : resteasy-base (ELSA-2014-1011) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-1011.NASL description Updated resteasy-base packages that fix one security issue are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) This issue was discovered by David Jorm of Red Hat Product Security. All resteasy-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 77031 published 2014-08-07 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77031 title CentOS 7 : resteasy-base (CESA-2014:1011)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://rhn.redhat.com/errata/RHSA-2014-1011.html
- http://rhn.redhat.com/errata/RHSA-2014-1039.html
- http://rhn.redhat.com/errata/RHSA-2014-1040.html
- http://rhn.redhat.com/errata/RHSA-2014-1298.html
- http://rhn.redhat.com/errata/RHSA-2015-0125.html
- http://rhn.redhat.com/errata/RHSA-2015-0675.html
- http://rhn.redhat.com/errata/RHSA-2015-0720.html
- http://rhn.redhat.com/errata/RHSA-2015-0765.html
- http://secunia.com/advisories/60019
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/69058
- https://github.com/resteasy/Resteasy/pull/521
- https://github.com/resteasy/Resteasy/pull/533
- https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83