CVE-2014-3490

Name of the Vulnerable Software and Affected Versions Red Hat JBoss Enterprise Application Platform (EAP) version 6.3.0 RESTEasy versions 2.3.1 through 2.3.8.SP2 RESTEasy versions 3.x through 3.0.9

Description The issue is related to an XML External Entity (XXE) problem, where external entities are not disabled even when the resteasy.document.expand.entity.references parameter is set to false. This allows remote attackers to read arbitrary files and potentially have other impacts via unspecified vectors.

Recommendations For RESTEasy versions 2.3.1 through 2.3.8.SP2, update to version 2.3.8.SP2 or later. For RESTEasy versions 3.x through 3.0.9, update to version 3.0.9 or later. For Red Hat JBoss Enterprise Application Platform (EAP) version 6.3.0, consider updating the embedded RESTEasy component to a fixed version. As a temporary workaround, consider setting the resteasy.document.expand.entity.references parameter to true to disable external entity expansion until a patch is available.