- Vulnerability/
- RHSA-2012:1056
RHSA-2012:1056: Moderate: resteasy security update
First published: Thu Jul 05 2012(Updated: )
RESTEasy provides various frameworks to help you build RESTful web services<br>and RESTful Java applications.<br>It was found that RESTEasy was vulnerable to XML External Entity (XXE)<br>attacks. If a remote attacker submitted a request containing an external<br>XML entity to a RESTEasy endpoint, the entity would be resolved, allowing<br>the attacker to read files accessible to the user running the application<br>server. This flaw affected DOM (Document Object Model) Document and JAXB<br>(Java Architecture for XML Binding) input. (CVE-2012-0818)<br>Note: The fix for CVE-2012-0818 is not enabled by default. This update adds<br>a new configuration option to disable entity expansion in RESTEasy. If<br>applications on your server expose RESTEasy XML endpoints, a<br>resteasy.document.expand.entity.references configuration snippet must be<br>added to their web.xml file to disable entity expansion in RESTEasy. Refer<br>to Red Hat Bugzilla bug 785631 for details.<br>Warning: Before applying this update, back up your JBoss Enterprise<br>Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along<br>with all other customized configuration files.<br>All users of JBoss Enterprise Application Platform 5.1.2 as provided from<br>the Red Hat Customer Portal are advised to install this update.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Resteasy Base JAX-RS API | ||
| JBoss Enterprise Application Platform |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=785631
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=5.1.2
- https://access.redhat.com/errata/RHSA-2012:1056 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2012:1056?
The severity of RHSA-2012:1056 is classified as moderate.
How do I fix RHSA-2012:1056?
To fix RHSA-2012:1056, upgrade to the latest version of RESTEasy that addresses the XML External Entity vulnerabilities.
What type of attack does RHSA-2012:1056 protect against?
RHSA-2012:1056 protects against XML External Entity (XXE) attacks.
Who is affected by RHSA-2012:1056?
RHSA-2012:1056 affects users of RESTEasy who handle XML data without proper validation.
When was RHSA-2012:1056 released?
RHSA-2012:1056 was released on September 10, 2012.
- collector/redhat-errata
- anchor-id/RHSA-2012:1056
- agent/references
- agent/severity
- agent/type
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- agent/title
- agent/description
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat resteasy base jax-rs api
- canonical/jboss enterprise application platform