Vulnerability CVE-2014-3490

Vulnerability Name:

CVE-2014-3490 (CCN-95252)

Assigned:

2014-07-23

Published:

2014-07-23

Updated:

2019-03-21

Summary:

RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.
Note: this vulnerability exists because of an incomplete fix for CVE-2012-0818.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (REDHAT CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-Other
CWE-611

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-3490

Source: CCN
Type: RHSA-2014-1011
Moderate: resteasy-base security update

Source: REDHAT
Type: Third Party Advisory
RHSA-2014:1011

Source: REDHAT
Type: Third Party Advisory
RHSA-2014:1039

Source: REDHAT
Type: Third Party Advisory
RHSA-2014:1040

Source: REDHAT
Type: Third Party Advisory
RHSA-2014:1298

Source: CCN
Type: RHSA-2015-0125
Important: Red Hat JBoss Web Framework Kit 2.7.0 update

Source: REDHAT
Type: Third Party Advisory
RHSA-2015:0125

Source: REDHAT
Type: Third Party Advisory
RHSA-2015:0675

Source: REDHAT
Type: Third Party Advisory
RHSA-2015:0720

Source: REDHAT
Type: Third Party Advisory
RHSA-2015:0765

Source: SECUNIA
Type: Third Party Advisory
60019

Source: CCN
Type: IBM Security Bulletin 1689963
JBoss RestEasy vulnerabilities in IBM Emptoris Contract Management (CVE-2014-3490)

Source: CCN
Type: RESTEasy Web site
RESTEasy

Source: CCN
Type: Oracle CPUOct2018
Oracle Critical Patch Update Advisory - October 2018

Source: CONFIRM
Type: Patch, Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Source: BID
Type: Third Party Advisory, VDB Entry
69058

Source: CCN
Type: BID-69058
RESTEasy Incomplete Fix XML Entity References Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
resteasy-cve20143490-info-disc(95252)

Source: CONFIRM
Type: Third Party Advisory
https://github.com/resteasy/Resteasy/pull/521

Source: CONFIRM
Type: Third Party Advisory
https://github.com/resteasy/Resteasy/pull/533

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/ronsigal/Resteasy/commit/9b7d0f574cafdcf3bea5428f3145ab4908fc6d83

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-3490

Vulnerable Configuration:

Configuration 1:

cpe:/a:redhat:jboss_enterprise_application_platform:6.3.0:*:*:*:*:*:*:*

OR cpe:/a:redhat:resteasy:*:*:*:*:*:*:*:* (Version >= 2.3.1 and <= 2.3.7.2)

OR cpe:/a:redhat:resteasy:3.0:beta1:*:*:*:*:*:*

OR cpe:/a:redhat:resteasy:3.0:beta2:*:*:*:*:*:*

OR cpe:/a:redhat:resteasy:3.0:beta3:*:*:*:*:*:*

OR cpe:/a:redhat:resteasy:3.0:beta4:*:*:*:*:*:*

OR cpe:/a:redhat:resteasy:3.0:beta5:*:*:*:*:*:*

OR cpe:/a:redhat:resteasy:3.0:beta6:*:*:*:*:*:*

OR cpe:/a:redhat:resteasy:3.0:rc1:*:*:*:*:*:*

OR cpe:/a:redhat:resteasy:*:*:*:*:*:*:*:* (Version >= 3.0.0 and < 3.0.9)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:redhat:resteasy:2.3.1:*:*:*:*:*:*:*

OR cpe:/a:redhat:resteasy:2.3.0:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux_hpc_node:7:*:*:*:*:*:*:*

OR cpe:/a:ibm:emptoris_contract_management:*:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:7:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server:7:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_workstation:7:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:27166	P	ELSA-2014-1011 -- resteasy-base security update (moderate)	2014-12-15
oval:org.mitre.oval:def:26424	P	RHSA-2014:1011: resteasy-base security update (Moderate)	2014-10-13
oval:com.redhat.rhsa:def:20141011	P	RHSA-2014:1011: resteasy-base security update (Moderate)	2014-08-29

BACK