On Thu, Jul 13, 2017 at 4:49 AM, Wang Veronica <veronica_bj2004@hotmail.com> wrote:

Hi experts,
We use resteasy 3.0.6final, and XXE vulnerability was reported during penetration test.

Seems that 3.0.6final contains partial fix for XXE vulnerability, but need to set resteasy.document.expand.entity.references parameter to false explicitly. A more complete fix seems to have been done after 3.0.10.

We can upgrade to a more recent version, e.g. 3.1.2. Another option I am thinking is not to support XML Media type (we actually need to support json only). Is this a feasible approach to ultimately avoid XXE attack and any pointers to achieve this? (In our REST API code, we currently declare consume and produce annotations to support application/xml and application/json).
Is there a simple resteasy configuration to disable support of application/xml?

Thanks, Veronica

_______________________________________________
resteasy mailing list
resteasy@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/resteasy