Ron Sigal

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss Enterprise Application Platform (EAP) version 6.3.0 RESTEasy versions 2.3.1 through 2.3.8.SP2 RESTEasy versions 3.x through 3.0.9 **Description** The issue is related to an XML External Entity (XXE) problem, where external entities are not disabled even when the `resteasy.document.expand.entity.references` parameter is set to `false`. This allows remote attackers to read arbitrary files and potentially have other impacts via unspecified vectors. **Recommendations** For RESTEasy versions 2.3.1 through 2.3.8.SP2, update to version 2.3.8.SP2 or later. For RESTEasy versions 3.x through 3.0.9, update to version 3.0.9 or later. For Red Hat JBoss Enterprise Application Platform (EAP) version 6.3.0, consider updating the embedded RESTEasy component to a fixed version. As a temporary workaround, consider setting the `resteasy.document.expand.entity.references` parameter to `true` to disable external entity expansion until a patch is available.