Impact: Moderate Public Date: 2014-11-18 CWE: CWE-611 Bugzilla: 1130383: CVE-2014-3599 HornetQ REST: XXE due to insecure configuration of RestEasy It was discovered that HornetQ REST did not set the resteasy.document.expand.entity.references context parameter to false by default. A HornetQ REST application, which does not explicitly set the required context parameter to false, may be vulnerable to XML External Entity (XXE) attacks. A remote attacker able to send XML requests to a HornetQ REST endpoint could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Find out more about CVE-2014-3599 from the MITRE CVE dictionary dictionary and NIST NVD.
Not Vulnerable. HornetQ REST is not provided by any Red Hat product.
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Package | State |
|---|---|---|
| Red Hat Satellite 6 | hornetq | Not affected |
When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints:
<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.
Vulmon