Uploaded image for project: 'HornetQ'
  1. HornetQ
  2. HORNETQ-1390

CVE-2014-3599 HornetQ REST: XXE due to insecure configuration of RestEasy [hornetq-rest]

    Details

    • Security Sensitive Issue:
      This issue is security relevant
    • Workaround Description:
      Hide

      When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints:

      <context-param>
              <param-name>resteasy.document.expand.entity.references</param-name>
              <param-value>false</param-value>
      </context-param>
      
      Show
      When using HornetQ REST in an application, add the following snippet to its web.xml file to disable entity expansion in RESTEasy as used by HornetQ REST endpoints: <context-param> <param-name> resteasy.document.expand.entity.references </param-name> <param-value> false </param-value> </context-param>

      Description

      HornetQ REST applications are vulnerable to XXE attacks due to insecure defaults. For more information see CVE-2014-3599.

      A resolution for this either requires HornetQ to set the resteasy.document.expand.entity.references context parameter to false by default or upgrade to a RESTEasy version that contains a fix for RESTEASY-1091.

      Additionally, note that the current version of RESTEasy being used is vulnerable to CVE-2014-3490, a fix for this is expected in RESTEasy 3.0.9.Final.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  clebert.suconic Clebert Suconic
                  Reporter:
                  abn Arun Neelicattu
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: