rhsa-2012_1058
Vulnerability from csaf_redhat
Published
2012-07-05 19:23
Modified
2024-11-14 11:31
Summary
Red Hat Security Advisory: resteasy security update
Notes
Topic
Updated resteasy packages that fix one security issue are now available for
JBoss Enterprise Web Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and
6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
RESTEasy provides various frameworks to help you build RESTful web services
and RESTful Java applications.
It was found that RESTEasy was vulnerable to XML External Entity (XXE)
attacks. If a remote attacker submitted a request containing an external
XML entity to a RESTEasy endpoint, the entity would be resolved, allowing
the attacker to read files accessible to the user running the application
server. This flaw affected DOM (Document Object Model) Document and JAXB
(Java Architecture for XML Binding) input. (CVE-2012-0818)
Note: The fix for CVE-2012-0818 is not enabled by default. This update adds
a new configuration option to disable entity expansion in RESTEasy. If
applications on your server expose RESTEasy XML endpoints, a
resteasy.document.expand.entity.references configuration snippet must be
added to their web.xml file to disable entity expansion in RESTEasy. Refer
to Red Hat Bugzilla bug 785631 for details.
Warning: Before applying this update, back up your JBoss Enterprise Web
Platform's "jboss-as-web/server/[PROFILE]/deploy/" directory and any other
customized configuration files.
Users of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4,
5, and 6 should upgrade to these updated packages, which correct this
issue. The JBoss server process must be restarted for this update to take
effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated resteasy packages that fix one security issue are now available for\nJBoss Enterprise Web Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and\n6.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.", "title": "Topic" }, { "category": "general", "text": "RESTEasy provides various frameworks to help you build RESTful web services\nand RESTful Java applications.\n\nIt was found that RESTEasy was vulnerable to XML External Entity (XXE)\nattacks. If a remote attacker submitted a request containing an external\nXML entity to a RESTEasy endpoint, the entity would be resolved, allowing\nthe attacker to read files accessible to the user running the application\nserver. This flaw affected DOM (Document Object Model) Document and JAXB\n(Java Architecture for XML Binding) input. (CVE-2012-0818)\n\nNote: The fix for CVE-2012-0818 is not enabled by default. This update adds\na new configuration option to disable entity expansion in RESTEasy. If\napplications on your server expose RESTEasy XML endpoints, a\nresteasy.document.expand.entity.references configuration snippet must be\nadded to their web.xml file to disable entity expansion in RESTEasy. Refer\nto Red Hat Bugzilla bug 785631 for details.\n\nWarning: Before applying this update, back up your JBoss Enterprise Web\nPlatform\u0027s \"jboss-as-web/server/[PROFILE]/deploy/\" directory and any other\ncustomized configuration files.\n\nUsers of JBoss Enterprise Web Platform 5.1.2 on Red Hat Enterprise Linux 4,\n5, and 6 should upgrade to these updated packages, which correct this\nissue. The JBoss server process must be restarted for this update to take\neffect.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2012:1058", "url": "https://access.redhat.com/errata/RHSA-2012:1058" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "785631", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2012/rhsa-2012_1058.json" } ], "title": "Red Hat Security Advisory: resteasy security update", "tracking": { "current_release_date": "2024-11-14T11:31:25+00:00", "generator": { "date": "2024-11-14T11:31:25+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.0" } }, "id": "RHSA-2012:1058", "initial_release_date": "2012-07-05T19:23:00+00:00", "revision_history": [ { "date": "2012-07-05T19:23:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2012-07-05T19:27:10+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-14T11:31:25+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Web Platform 5 for RHEL 4 AS", "product": { "name": "Red Hat JBoss Web Platform 5 for RHEL 4 AS", "product_id": "4AS-JBEWP-5", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el4" } } }, { "category": "product_name", "name": "Red Hat JBoss Web Platform 5 for RHEL 4 ES", "product": { "name": "Red Hat JBoss Web Platform 5 for RHEL 4 ES", "product_id": "4ES-JBEWP-5", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el4" } } }, { "category": "product_name", "name": "Red Hat JBoss Web Platform 5 for RHEL 5 Server", "product": { "name": "Red Hat JBoss Web Platform 5 for RHEL 5 Server", "product_id": "5Server-JBEWP-5", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5" } } }, { "category": "product_name", "name": "Red Hat JBoss Web Platform 5 for RHEL 6 Server", "product": { "name": "Red Hat JBoss Web Platform 5 for RHEL 6 Server", "product_id": "6Server-JBEWP-5", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Platform" }, { "branches": [ { "category": "product_version", "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product": { "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product_id": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy-manual@1.2.1-10.CP02_patch01.1.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product_id": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy@1.2.1-10.CP02_patch01.1.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product": { "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product_id": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy-examples@1.2.1-10.CP02_patch01.1.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product": { "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product_id": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy-javadoc@1.2.1-10.CP02_patch01.1.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product": { "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product_id": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy-manual@1.2.1-10.CP02_patch01.1.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product_id": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy@1.2.1-10.CP02_patch01.1.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product": { "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product_id": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy-examples@1.2.1-10.CP02_patch01.1.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product": { "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product_id": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy-javadoc@1.2.1-10.CP02_patch01.1.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product": { "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product_id": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy-manual@1.2.1-10.CP02_patch01.1.ep5.el6?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product_id": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy@1.2.1-10.CP02_patch01.1.ep5.el6?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product": { "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product_id": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy-examples@1.2.1-10.CP02_patch01.1.ep5.el6?arch=noarch" } } }, { "category": "product_version", "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product": { "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product_id": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy-javadoc@1.2.1-10.CP02_patch01.1.ep5.el6?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "product": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "product_id": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy@1.2.1-10.CP02_patch01.1.ep5.el4?arch=src" } } }, { "category": "product_version", "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "product": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "product_id": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy@1.2.1-10.CP02_patch01.1.ep5.el5?arch=src" } } }, { "category": "product_version", "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "product": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "product_id": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/resteasy@1.2.1-10.CP02_patch01.1.ep5.el6?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS", "product_id": "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" }, "product_reference": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS", "product_id": "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src" }, "product_reference": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "relates_to_product_reference": "4AS-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS", "product_id": "4AS-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" }, "product_reference": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS", "product_id": "4AS-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" }, "product_reference": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 AS", "product_id": "4AS-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" }, "product_reference": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES", "product_id": "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" }, "product_reference": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES", "product_id": "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src" }, "product_reference": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "relates_to_product_reference": "4ES-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES", "product_id": "4ES-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" }, "product_reference": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES", "product_id": "4ES-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" }, "product_reference": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 4 ES", "product_id": "4ES-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" }, "product_reference": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server", "product_id": "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch" }, "product_reference": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server", "product_id": "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src" }, "product_reference": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "relates_to_product_reference": "5Server-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server", "product_id": "5Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch" }, "product_reference": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server", "product_id": "5Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch" }, "product_reference": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 5 Server", "product_id": "5Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch" }, "product_reference": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server", "product_id": "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" }, "product_reference": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "relates_to_product_reference": "6Server-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server", "product_id": "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src" }, "product_reference": "resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "relates_to_product_reference": "6Server-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server", "product_id": "6Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" }, "product_reference": "resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "relates_to_product_reference": "6Server-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server", "product_id": "6Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" }, "product_reference": "resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "relates_to_product_reference": "6Server-JBEWP-5" }, { "category": "default_component_of", "full_product_name": { "name": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch as a component of Red Hat JBoss Web Platform 5 for RHEL 6 Server", "product_id": "6Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" }, "product_reference": "resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "relates_to_product_reference": "6Server-JBEWP-5" } ] }, "vulnerabilities": [ { "cve": "CVE-2011-5245", "cwe": { "id": "CWE-611", "name": "Improper Restriction of XML External Entity Reference" }, "discovery_date": "2012-01-24T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "4AS-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "4ES-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "785631" } ], "notes": [ { "category": "description", "text": "The readFrom function in providers.jaxb.JAXBXmlTypeProvider in RESTEasy before 2.3.2 allows remote attackers to read arbitrary files via an external entity reference in a Java Architecture for XML Binding (JAXB) input, aka an XML external entity (XXE) injection attack, a similar vulnerability to CVE-2012-0818.", "title": "Vulnerability description" }, { "category": "summary", "text": "RESTEasy: XML eXternal Entity (XXE) flaw", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "5Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "6Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" ], "known_not_affected": [ "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "4AS-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "4ES-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2011-5245" }, { "category": "external", "summary": "RHBZ#785631", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2011-5245", "url": "https://www.cve.org/CVERecord?id=CVE-2011-5245" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5245" } ], "release_date": "2011-12-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2012-07-05T19:23:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258", "product_ids": [ "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "5Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "6Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2012:1058" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "5Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "6Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "RESTEasy: XML eXternal Entity (XXE) flaw" }, { "cve": "CVE-2012-0818", "cwe": { "id": "CWE-611", "name": "Improper Restriction of XML External Entity Reference" }, "discovery_date": "2012-01-24T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "4AS-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "4ES-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "785631" } ], "notes": [ { "category": "description", "text": "RESTEasy before 2.3.1 allows remote attackers to read arbitrary files via an external entity reference in a DOM document, aka an XML external entity (XXE) injection attack.", "title": "Vulnerability description" }, { "category": "summary", "text": "RESTEasy: XML eXternal Entity (XXE) flaw", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "5Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "6Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" ], "known_not_affected": [ "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "4AS-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4AS-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el4.src", "4ES-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch", "4ES-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2012-0818" }, { "category": "external", "summary": "RHBZ#785631", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=785631" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2012-0818", "url": "https://www.cve.org/CVERecord?id=CVE-2012-0818" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818", "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0818" } ], "release_date": "2011-12-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2012-07-05T19:23:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/knowledge/articles/11258", "product_ids": [ "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "5Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "6Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2012:1058" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el5.src", "5Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "5Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el5.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-0:1.2.1-10.CP02_patch01.1.ep5.el6.src", "6Server-JBEWP-5:resteasy-examples-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-javadoc-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch", "6Server-JBEWP-5:resteasy-manual-0:1.2.1-10.CP02_patch01.1.ep5.el6.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "RESTEasy: XML eXternal Entity (XXE) flaw" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.