RHSA-2012:1058: Moderate: resteasy security update

First published: Thu Jul 05 2012(Updated: )

RESTEasy provides various frameworks to help you build RESTful web services<br>and RESTful Java applications.<br>It was found that RESTEasy was vulnerable to XML External Entity (XXE)<br>attacks. If a remote attacker submitted a request containing an external<br>XML entity to a RESTEasy endpoint, the entity would be resolved, allowing<br>the attacker to read files accessible to the user running the application<br>server. This flaw affected DOM (Document Object Model) Document and JAXB<br>(Java Architecture for XML Binding) input. (CVE-2012-0818)<br>Note: The fix for CVE-2012-0818 is not enabled by default. This update adds<br>a new configuration option to disable entity expansion in RESTEasy. If<br>applications on your server expose RESTEasy XML endpoints, a<br>resteasy.document.expand.entity.references configuration snippet must be<br>added to their web.xml file to disable entity expansion in RESTEasy. Refer<br>to Red Hat Bugzilla bug 785631 for details.<br>Warning: Before applying this update, back up your JBoss Enterprise Web<br>Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other<br>customized configuration files.<br>Users of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4,<br>5, and 6 should upgrade to these updated packages, which correct this<br>issue. The JBoss server process must be restarted for this update to take<br>effect.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2012:1058
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• package-manager/redhat