-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0082 Title: JBOSS security updates [1-4] Version history: 07.07.2012 Initial publication Summary ======= Updated resteasy packages that fix one security issue are now available for several JBOSS products [1-4]: * JBoss Enterprise Application Platform 5.1.2 * JBoss Enterprise Web Platform 5.1.2 * JBoss Enterprise Web Platform 5 EL4 * JBoss Enterprise Web Platform 5 EL5 * JBoss Enterprise Web Platform 5 EL6 * JBoss Enterprise Application Platform 5 EL4 * JBoss Enterprise Application Platform 5 EL5 * JBoss Enterprise Application Platform 5 EL6 The Red Hat Security Response Team has rated this update as having moderate security impact. CVE-2012-0818 CVSS v2 Base Score:5 (MEDIUM) (AV:L/AC:N/Au:N/C:N/I:N/A:C) [5-6] Vulnerable systems ================== All users of the following products provided from the Red Hat Customer Portal are advised to install this update: * JBoss Enterprise Application Platform 5.1.2 * JBoss Enterprise Web Platform 5.1.2 * JBoss Enterprise Web Platform 5 EL4 * JBoss Enterprise Web Platform 5 EL5 * JBoss Enterprise Web Platform 5 EL6 * JBoss Enterprise Application Platform 5 EL4 * JBoss Enterprise Application Platform 5 EL5 * JBoss Enterprise Application Platform 5 EL6 Original Details ================ RESTEasy provides various frameworks to help you build RESTful web services and RESTful Java applications. It was found that RESTEasy was vulnerable to XML External Entity (XXE) attacks. If a remote attacker submitted a request containing an external XML entity to a RESTEasy endpoint, the entity would be resolved, allowing the attacker to read files accessible to the user running the application server. This flaw affected DOM (Document Object Model) Document and JAXB (Java Architecture for XML Binding) input. [1-4] What can you do? ================ Fix is available. [1-4] The fix for CVE-2012-0818 is not enabled by default. This update adds a new configuration option to disable entity expansion in RESTEasy. If applications on your server expose RESTEasy XML endpoints, a resteasy.document.expand.entity.references configuration snippet must be added to their web.xml file to disable entity expansion in RESTEasy. Refer to Red Hat Bugzilla bug 785631 for details. Warning: Before applying this update: * back up your JBoss Enterprise Application Platform's "jboss-as/server/[PROFILE]/deploy/" directory, along with all other customized configuration files. * back up your JBoss Enterprise Web Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other customized configuration files. What to tell your users? ======================== N/A More information ================ [1] https://rhn.redhat.com/errata/RHSA-2012-1056.html [2] https://rhn.redhat.com/errata/RHSA-2012-1057.html [3] https://rhn.redhat.com/errata/RHSA-2012-1058.html [4] https://rhn.redhat.com/errata/RHSA-2012-1059.html [5] https://www.redhat.com/security/data/cve/CVE-2012-0818.html [6] More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 Privacy Statement: http://cert.europa.eu/cert/plainedition/en/cert_privacy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBAgAGBQJP+tdhAAoJEPpzpNLI8SVoScYQALTx/yEOYDj2ytr/yWG28PbJ /vg5gewNkVTA3F2DIJQivM7XauS1a5Z3ZPcbwlvpiC93Ne3/hgmTYuUDMTss/WpC s3UAuDRR7N6Q/7E7U+90ndRH4bG8c/cQnR5ScVlWDVlPNh/qzbyh8MragcKG7/fG 0f8O9k3nISym1ZCoelpwTvC7s66OfB3bWcQu1+vWPyORl/h6pbtYba5Zjh73ppVV F7W1ajTzGlcSYqt2e9yPhNQKaFWPAlJFKQRWQ+nEX+BmpIDSowHeVKN+6F78y2Qf MSKpO3efYj4sam4KSH7FHm8NCrjBGL1rnq8RaDNnhkNyRO4sIxTYKg80wTpeH93o vsq/tFdQMl1lotNoR43y+VBTZAUiJQCWuupQ/zEpZBhFaBOb6GzSnQ45yg0Q/goO ub7biOPdEVy3PqqxJGPi5CgALu2ODo8LEK2IWeFKh95gKxizT8gbNQwie93EmlKg JWzn4hCWasZk566iC7gYN//atfifKL1jAOOCr0XujHKTeKc83oNBRCuDgf5wyIJX 1xj7TYM6BAsrm1cMJFjiOyKrXxkcJHdIcSo9Zn7qA3TizY0ms38fRktM4rQkHq4H 2p65YNbnOIBaYp6nBBkXlMhX5HH9FETfiQavLKUv9REyxp3ixorWyBUFsK8hRabx f+qwQn44N5VDJrmUQL5p =WaqG -----END PGP SIGNATURE-----