RESTEasy Incomplete Fix XML Entity References Information Disclosure Vulnerability

RESTEasy is prone to an information-disclosure vulnerability.

An attacker can exploit this issue to gain access to certain local files. Information obtained may aid in further attacks.

Note: This issue is the result of an incomplete fix for the issue described in BID 51748 (RESTEasy XML Entity References Information Disclosure Vulnerability).

Information

Bugtraq ID: 69058
Class: Design Error
CVE: CVE-2014-3490

Remote: Yes
Local: No
Published: Jul 23 2014 12:00AM
Updated: Oct 17 2018 07:00AM
Credit: David Jorm
Vulnerable: RESTEasy RESTEasy 2.3
RESTEasy RESTEasy 2.3.2
RESTEasy RESTEasy 2.3.1
Redhat JBoss Enterprise Application Platform 6.3
Redhat JBoss Enterprise Application Platform 6 EL6
Redhat JBoss Enterprise Application Platform 6 EL5
Redhat JBoss Data Grid 6.3
Redhat Enterprise Linux 7
Oracle Enterprise Linux 7
Oracle Communications Performance Intelligence Center (PIC) Software 10.1.5.1
IBM Emptoris Contract Management 10.0.2 2
IBM Emptoris Contract Management 10.0.2 0
IBM Emptoris Contract Management 10.0.2.1

Not Vulnerable: RESTEasy RESTEasy 3.0.9
Redhat JBoss Data Grid 6.3.1
Oracle Communications Performance Intelligence Center (PIC) Software 10.2

Exploit

Attackers can use readily available tools to exploit this issue.

References:

RESTEasy Homepage (RESTEasy)
Moderate: resteasy-base security update (Red Hat)
JBoss RestEasy vulnerabilities in IBM Emptoris Contract Management (CVE-2014-349 (IBM)
Moderate: Red Hat JBoss Enterprise Application Platform 6.3.0 security update (Red Hat)
Moderate: Red Hat JBoss Enterprise Application Platform 6.3.0 security update (Red Hat)
Oracle Critical Patch Update Advisory - October 2018 (Oracle)
RESTEasy: XXE via parameter entities (Red Hat)
RESTEasy: XXE via parameter entities (Red Hat Bugzilla)
Security Advisory Moderate: Red Hat JBoss Data Grid 6.3.1 update (Red Hat)

Source: www.securityfocus.com

Exploit Collector

Search Exploit