It was found that the JAXP implementation used in EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing.
Find out more about CVE-2017-7464 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.
| Base Score | 4 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:P/I:N/A:P |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | None |
| Availability Impact | Partial |
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 8.7 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | High |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Package | State |
|---|---|---|
| Red Hat Mobile Application Platform On-Premise 4 | security | Not affected |
| Red Hat JBoss Web Server 3.0 | tomcat | Not affected |
| Red Hat JBoss EAP 7 | XML Frameworks | Will not fix |
Enable the security features of the DocumentBuilderFactory or SaxParserFactory as described by OWASP:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J
Vulmon