Security Advisory Moderate: resteasy-base security update

Advisory: RHSA-2014:1011-1
Type: Security Advisory
Severity: Moderate
Issued on: 2014-08-06
Last updated on: 2014-08-06
Affected Products: Red Hat Enterprise Linux Desktop (v. 7)
Red Hat Enterprise Linux HPC Node (v. 7)
Red Hat Enterprise Linux Server (v. 7)
Red Hat Enterprise Linux Workstation (v. 7)
CVEs (cve.mitre.org): CVE-2014-3490

Details

Updated resteasy-base packages that fix one security issue are now
available for Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

RESTEasy contains a JBoss project that provides frameworks to help build
RESTful Web Services and RESTful Java applications. It is a fully certified
and portable implementation of the JAX-RS specification.

It was found that the fix for CVE-2012-0818 was incomplete: external
parameter entities were not disabled when the
resteasy.document.expand.entity.references parameter was set to false.
A remote attacker able to send XML requests to a RESTEasy endpoint could
use this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2014-3490)

This issue was discovered by David Jorm of Red Hat Product Security.

All resteasy-base users are advised to upgrade to these updated packages,
which contain a backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Updated packages

Red Hat Enterprise Linux Desktop (v. 7)

SRPMS:
resteasy-base-2.3.5-3.el7_0.src.rpm
File outdated by:  RHBA-2015:0451
    MD5: 18f9b80fbb9aa67478e2fa16e2512029
SHA-256: 3a3240fca472fe411cd0dbdddf4c63871f3af6239f07cd9aed4bde4ea67745c4
 
x86_64:
resteasy-base-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 6f2410b263f5ee5eeb1c9140b0678007
SHA-256: 6773f400a43bb8ef941fe09677cef2232501f5c01af77b5f453e609dde6302fe
resteasy-base-atom-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 2f1b44c609576cf5e02a1af3be33a2c5
SHA-256: f3ad2ebc9257c1a26e4c227e36acdd50daa1c383bbbadb362157628b94c9abaa
resteasy-base-jackson-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: dc3963f6cfddc6fcaa0b32106f54a467
SHA-256: 13934e893625f39da9499c41bfc7ca66ca3a19d29a80db858cd0a3222b2b7e5c
resteasy-base-javadoc-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 132ae2dc8bd1fcc41ebbcd450777b8fa
SHA-256: ebf86ed80cb24a66958ab5bcb3ecd5763c28382a285761890d74dfd452b580d4
resteasy-base-jaxb-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 33a23697912e315d5922658945d21aaa
SHA-256: 95ec49ff038202f825e726534530809336bb825b9e89d5364d0ef3ef597789fa
resteasy-base-jaxrs-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: e6b7c748e2e411544e4468249ca24df4
SHA-256: 2ce74d246ed61b45f95789a7e62dbc4b0632e887e65a1633c53df6efd37994e4
resteasy-base-jaxrs-all-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: b36c76b6c34179d1981c7a5ec1749368
SHA-256: 77cc011de1683b1d8f59d7ed7dc94750aa2810efd94ea44e73ca8c2f087deb87
resteasy-base-jaxrs-api-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 344fb78674e80042faae5365d195d5b1
SHA-256: e2a52e90d0c81bfdf4140c46f7dfc7fe96cca296323b333655b22474ce618a4d
resteasy-base-jettison-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 7daefbb27cb9b68856512e250008c692
SHA-256: a5fa2ecd461ec9354c1cf2395ef7d3de0ad634e1f1e4148c3d15fdd11b8cbdc8
resteasy-base-providers-pom-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 2d57e8e2b8d835d9cf606b459faac93d
SHA-256: e6794b261c1e9b20db3d4096ec008b9bf70d0a00758cd259c0581d292e9f35d2
resteasy-base-tjws-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 1465c407e5e9509b26a089cc5982ee60
SHA-256: 5ff5a4f510c1a7755b970ba61399de6e90b4b1cb4a636523a3986a8403e899de
 
Red Hat Enterprise Linux HPC Node (v. 7)

SRPMS:
resteasy-base-2.3.5-3.el7_0.src.rpm
File outdated by:  RHBA-2015:0451
    MD5: 18f9b80fbb9aa67478e2fa16e2512029
SHA-256: 3a3240fca472fe411cd0dbdddf4c63871f3af6239f07cd9aed4bde4ea67745c4
 
x86_64:
resteasy-base-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 6f2410b263f5ee5eeb1c9140b0678007
SHA-256: 6773f400a43bb8ef941fe09677cef2232501f5c01af77b5f453e609dde6302fe
resteasy-base-atom-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 2f1b44c609576cf5e02a1af3be33a2c5
SHA-256: f3ad2ebc9257c1a26e4c227e36acdd50daa1c383bbbadb362157628b94c9abaa
resteasy-base-jackson-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: dc3963f6cfddc6fcaa0b32106f54a467
SHA-256: 13934e893625f39da9499c41bfc7ca66ca3a19d29a80db858cd0a3222b2b7e5c
resteasy-base-javadoc-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 132ae2dc8bd1fcc41ebbcd450777b8fa
SHA-256: ebf86ed80cb24a66958ab5bcb3ecd5763c28382a285761890d74dfd452b580d4
resteasy-base-jaxb-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 33a23697912e315d5922658945d21aaa
SHA-256: 95ec49ff038202f825e726534530809336bb825b9e89d5364d0ef3ef597789fa
resteasy-base-jaxrs-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: e6b7c748e2e411544e4468249ca24df4
SHA-256: 2ce74d246ed61b45f95789a7e62dbc4b0632e887e65a1633c53df6efd37994e4
resteasy-base-jaxrs-all-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: b36c76b6c34179d1981c7a5ec1749368
SHA-256: 77cc011de1683b1d8f59d7ed7dc94750aa2810efd94ea44e73ca8c2f087deb87
resteasy-base-jaxrs-api-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 344fb78674e80042faae5365d195d5b1
SHA-256: e2a52e90d0c81bfdf4140c46f7dfc7fe96cca296323b333655b22474ce618a4d
resteasy-base-jettison-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 7daefbb27cb9b68856512e250008c692
SHA-256: a5fa2ecd461ec9354c1cf2395ef7d3de0ad634e1f1e4148c3d15fdd11b8cbdc8
resteasy-base-providers-pom-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 2d57e8e2b8d835d9cf606b459faac93d
SHA-256: e6794b261c1e9b20db3d4096ec008b9bf70d0a00758cd259c0581d292e9f35d2
resteasy-base-tjws-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 1465c407e5e9509b26a089cc5982ee60
SHA-256: 5ff5a4f510c1a7755b970ba61399de6e90b4b1cb4a636523a3986a8403e899de
 
Red Hat Enterprise Linux Server (v. 7)

SRPMS:
resteasy-base-2.3.5-3.el7_0.src.rpm
File outdated by:  RHBA-2015:0451
    MD5: 18f9b80fbb9aa67478e2fa16e2512029
SHA-256: 3a3240fca472fe411cd0dbdddf4c63871f3af6239f07cd9aed4bde4ea67745c4
 
x86_64:
resteasy-base-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 6f2410b263f5ee5eeb1c9140b0678007
SHA-256: 6773f400a43bb8ef941fe09677cef2232501f5c01af77b5f453e609dde6302fe
resteasy-base-atom-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 2f1b44c609576cf5e02a1af3be33a2c5
SHA-256: f3ad2ebc9257c1a26e4c227e36acdd50daa1c383bbbadb362157628b94c9abaa
resteasy-base-jackson-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: dc3963f6cfddc6fcaa0b32106f54a467
SHA-256: 13934e893625f39da9499c41bfc7ca66ca3a19d29a80db858cd0a3222b2b7e5c
resteasy-base-javadoc-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 132ae2dc8bd1fcc41ebbcd450777b8fa
SHA-256: ebf86ed80cb24a66958ab5bcb3ecd5763c28382a285761890d74dfd452b580d4
resteasy-base-jaxb-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 33a23697912e315d5922658945d21aaa
SHA-256: 95ec49ff038202f825e726534530809336bb825b9e89d5364d0ef3ef597789fa
resteasy-base-jaxrs-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: e6b7c748e2e411544e4468249ca24df4
SHA-256: 2ce74d246ed61b45f95789a7e62dbc4b0632e887e65a1633c53df6efd37994e4
resteasy-base-jaxrs-all-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: b36c76b6c34179d1981c7a5ec1749368
SHA-256: 77cc011de1683b1d8f59d7ed7dc94750aa2810efd94ea44e73ca8c2f087deb87
resteasy-base-jaxrs-api-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 344fb78674e80042faae5365d195d5b1
SHA-256: e2a52e90d0c81bfdf4140c46f7dfc7fe96cca296323b333655b22474ce618a4d
resteasy-base-jettison-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 7daefbb27cb9b68856512e250008c692
SHA-256: a5fa2ecd461ec9354c1cf2395ef7d3de0ad634e1f1e4148c3d15fdd11b8cbdc8
resteasy-base-providers-pom-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 2d57e8e2b8d835d9cf606b459faac93d
SHA-256: e6794b261c1e9b20db3d4096ec008b9bf70d0a00758cd259c0581d292e9f35d2
resteasy-base-tjws-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 1465c407e5e9509b26a089cc5982ee60
SHA-256: 5ff5a4f510c1a7755b970ba61399de6e90b4b1cb4a636523a3986a8403e899de
 
Red Hat Enterprise Linux Workstation (v. 7)

SRPMS:
resteasy-base-2.3.5-3.el7_0.src.rpm
File outdated by:  RHBA-2015:0451
    MD5: 18f9b80fbb9aa67478e2fa16e2512029
SHA-256: 3a3240fca472fe411cd0dbdddf4c63871f3af6239f07cd9aed4bde4ea67745c4
 
x86_64:
resteasy-base-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 6f2410b263f5ee5eeb1c9140b0678007
SHA-256: 6773f400a43bb8ef941fe09677cef2232501f5c01af77b5f453e609dde6302fe
resteasy-base-atom-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 2f1b44c609576cf5e02a1af3be33a2c5
SHA-256: f3ad2ebc9257c1a26e4c227e36acdd50daa1c383bbbadb362157628b94c9abaa
resteasy-base-jackson-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: dc3963f6cfddc6fcaa0b32106f54a467
SHA-256: 13934e893625f39da9499c41bfc7ca66ca3a19d29a80db858cd0a3222b2b7e5c
resteasy-base-javadoc-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 132ae2dc8bd1fcc41ebbcd450777b8fa
SHA-256: ebf86ed80cb24a66958ab5bcb3ecd5763c28382a285761890d74dfd452b580d4
resteasy-base-jaxb-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 33a23697912e315d5922658945d21aaa
SHA-256: 95ec49ff038202f825e726534530809336bb825b9e89d5364d0ef3ef597789fa
resteasy-base-jaxrs-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: e6b7c748e2e411544e4468249ca24df4
SHA-256: 2ce74d246ed61b45f95789a7e62dbc4b0632e887e65a1633c53df6efd37994e4
resteasy-base-jaxrs-all-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: b36c76b6c34179d1981c7a5ec1749368
SHA-256: 77cc011de1683b1d8f59d7ed7dc94750aa2810efd94ea44e73ca8c2f087deb87
resteasy-base-jaxrs-api-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 344fb78674e80042faae5365d195d5b1
SHA-256: e2a52e90d0c81bfdf4140c46f7dfc7fe96cca296323b333655b22474ce618a4d
resteasy-base-jettison-provider-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 7daefbb27cb9b68856512e250008c692
SHA-256: a5fa2ecd461ec9354c1cf2395ef7d3de0ad634e1f1e4148c3d15fdd11b8cbdc8
resteasy-base-providers-pom-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 2d57e8e2b8d835d9cf606b459faac93d
SHA-256: e6794b261c1e9b20db3d4096ec008b9bf70d0a00758cd259c0581d292e9f35d2
resteasy-base-tjws-2.3.5-3.el7_0.noarch.rpm
File outdated by:  RHBA-2015:0451
    MD5: 1465c407e5e9509b26a089cc5982ee60
SHA-256: 5ff5a4f510c1a7755b970ba61399de6e90b4b1cb4a636523a3986a8403e899de
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1107901 - CVE-2014-3490 RESTEasy: XXE via parameter entities


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/